Security Watch

The computer security community is abuzz with the news announced today by a team of security researchers at the 25th Chaos Communication Congress in Berlin.  The researchers were able to demonstrate how they were able to generate a fake Certificate Authority certificate and thereby allowing them to impersonate any secure website using SSL certificates.

The research is very interesting and the full paper is available here.  What I particularly liked is they used an array of 200 PS3 game consoles to break the certificate.

However, before we all panic and think that the Internet as we know it has come to an end, we should note that the attack has a number of limitations.  Firstly the attack is against the MD5 algorithm, which has known weaknesses since 2004.  Secondly the certificates broken were using sequential serial numbers.  Finally, the researchers have kept their methods to themselves to allow vendors time to address the issue.

Wired magazine has a good write up on the issue, while Rich Mogull has an excellent post on his blog as to why we should not panic with regards to this issue, as does the Security Uncorked blog.  The Errata Security Blog also highlights that not all certificates based on MD5 are vulnerable.  The SANS Internet Storm Center also has a good write up of the issue with a list of vendor statements regarding the status of their certificates.

You can also use this site to check what SSL certificates are being used by a site you are visiting.

Tags: md5, ssl certificates, vulnerability

This entry was posted on Wednesday, December 31st, 2008 at 12:03 am and is filed under InfoSec, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.