One Weak Link to Rule Them All
It is said that any security system is only as strong as its weakest link. A team of researchers today proved that point yet again, showing the world how they could use known weaknesses in the encryption technology that protects online transactions to undermine the security around e-commerce.
An international team of security experts (pictured at right, thanks to Alexander Klink) showed that they could undermine the system most of us rely on to secure our online transactions, so that even though the browser indicates your connection is encrypted (Web browser address starts with "https://") and vetted by a third party to be secure and authentic, it may in fact be controlled by an attacker offering up a counterfeit Web site designed to steal your information.
Web users are taught early on to look for that padlock and https:// connection when shopping or banking online. Those are features denoting that a Web site has been vetted by a certificate authority (CA), a company that issues digital certificates that are supposed to show that the Web site has been vetted and is protecting all transactions from any would-be eavesdroppers.
There are dozens of CAs in business today. Trouble is, a handful of them still rely on an outdated and insecure encryption method (called MD5) to sign their certificates. What the researchers showed was that they could use those weaknesses to effectively duplicate the signing authority for several CAs, allowing them to forge a certificate corresponding to any address on the Web.
From the story:
Armed with those credentials, an attacker who had seized control over a large network, for example, could intercept all requests for users trying to visit a specific e-commerce or banking Web site. The attacker could then redirect the user to a counterfeit version of the site designed to steal the user's credentials. All the while, the user may never know the difference, because the attacker would have presented the victim's Web browser with an SSL certificate, which was signed by an approved CA.
The worst part about this attack is that Web browsers such as Microsoft's Internet Explorer and Mozilla's Firefox are automatically configured to accept any certificates signed by an approved CA. As a result, an attacker using the team's method could create a counterfeit certificate for virtually any Web site -- regardless of the strength of the cryptography used by the signing CA -- as long as the browser implicitly trusts certificates issued by at least one CA that uses the vulnerable encryption scheme.
The security threat here goes well beyond spoofing Web sites or phishing (think Web-based e-mail, for starters). But I've read/heard mixed views from experts on whether this is something the average user should be concerned about.
For his part, Spafford said the fix will take time and won't be easy, and that it's difficult to see how the end user could be expected to do much about it in the meantime:
We can try to educate end-users about this, but the problem is so complicated with technical details, the average person won't know how to actually make a determination about valid certificates. It might even cause more harm by leading people to distrust valid certificates by mistake!
Spafford notes that far too many people take for granted technologies that make the Internet work properly, until those technologies and assumptions start to break down.
"If you look at the way our systems are constructed, too little thought is given to what happens to existing infrastructure when something breaks. Designs can include compensating and recovery code, but doing so requires some cost in space or time. However, all too often people are willing to avoid the investment by putting off the danger to 'if and when that happens.' Thus, we instance such as the Y2K problems and the issues here with potentially rogue CAs."
Bruce Schneier, a noted cryptography expert and security gadfly, praised the researchers for their work, but said the average Internet user is no less secure because of their findings.
"Don't get me wrong: This is really good research, and it's a nice demonstration of fundamental flaw, but I don't see this as changing much," Schneier said. "Ask yourself this: When was the last time you checked the validity of a [SSL certificate]? The reality is that good SSL certificates do not improve security at all, because nobody bothers to check them. I mean, I'm a security guy, and I don't do it.
The CA system is broken, but it works because broken systems tend to be better for society, which needs fluidity in the face of complicated social constructs," Schneier said. "Systems that are broken but work are very common in the real world: Front door locks are surprisingly pickable. Think of faxed signatures, for example. It's a ridiculous form of authentication, yet people trust these documents all the time for very important stuff."
Ultimately, it's not clear what Internet users really can do to shield themselves against this type of attack. A few months ago, I wrote about a plug-in for Firefox called "Perspectives" that may help users spot a counterfeit SSL certificate. When a Perspectives user visits a Web site that uses an SSL cert, the browser plugin queries at least four different "notary" servers and asks them for their observations about the cert in question. The servers respond with information about which key they see being offered by the Web site in question at the moment, and which keys they have seen in the past for that same domain.
The Perspectives add-on may or may not help diminish the threat from this attack. I'd be interested to hear from readers with other ideas. Please sound off in the comments below.
Update, Dec. 31, 1:17 p.m. ET: Verisign's Tim Callan just posted a blog entry saying that "this attack has been rendered ineffective for all SSL Certificates available from VeriSign." This appears to be progress from where Verisign was with respect to this when I interviewed Callan two days ago. The post continues: "We have been in the process of phasing out the MD5 hashing algorithm for a long time now. MD5 is not in use in most VeriSign certificates for most applications, and until this morning our roadmap had us discontinuing the last use of MD5 in our customers' certificates before the end of January, 2009. Today's presentation showed how to combine MD5 collision attacks with some other clever bits of hacking to create a false certificate. We have discontinued using MD5 when we issue RapidSSL certificates, and we've confirmed that all other SSL Certificates we sell are not vulnerable to this attack. We'll continue on our path to discontinue MD5 in all end entity certificates by the end of January, 2009."
December 30, 2008; 5:50 PM ET
Categories: From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Beware Holiday e-Greeting Cards, Digital Hitchhikers
Next: Phishers Now Twittering Their Scams
Posted by: SanDiegoTim | December 30, 2008 11:08 PM | Report abuse
Posted by: moike | December 31, 2008 9:02 AM | Report abuse
Posted by: moike | December 31, 2008 9:16 AM | Report abuse
Posted by: ohiomc | December 31, 2008 10:30 AM | Report abuse
Posted by: glimpsing | December 31, 2008 3:13 PM | Report abuse
Posted by: ginigma | January 1, 2009 10:49 PM | Report abuse
Posted by: mangelinovich | January 5, 2009 2:07 PM | Report abuse
Posted by: bug45 | January 5, 2009 7:45 PM | Report abuse
The comments to this entry are closed.