Tuesday, January 6, 2009
SSL and MD5 researchers...utilizing weak crypto
Jacob Appelbaum and David Molnar are some of the security researchers who brought you the RapidSSL exploit which utilizes a hack based on weak MD5 hashes used in conjunction with SSL certificates. Well, the researchers have now proved that websites under their own control are using the same weak crypto. This is quite funny :-) Of course, I don't mean to imply that this is a server vulnerability. Screenshots below..
Subscribe to:
Post Comments (Atom)
7 comments:
Hi Kristian.
The way that we got started with our project was by actually purchasing an SSL certificate and noticing that someone still issued MD5 signatures. It wasn't really an interesting problem until we realized that it was actually an active issue in the wild. I noted this on a mailinglist post to the noisebridge-discuss list.
The Noisebridge certificate is the first certificate that we purchased for the hacklab. It is no more insecure than any other certificate on the internet and if anything it's actually of historical importance (to me anyway).
You might want to read our paper again because I think you misunderstood what the actual problems are with regard to MD5 signatures.
The Noisebridge certificate is perfectly safe until second preimage attacks on MD5 become a reality. At this point, it's just a nice touch.
(It is of course really bad news for CAs to make signatures with MD5 as you have no doubt noticed)
Hi Jacob,
Thanks for the posting. I believe I understand the preimage significance correctly. In fact, I even posted my concerns to Full Disclosure more than a year ago, also advising that SHA-1 might not be a suitable replacement, due to current research progress. Link below.
http://seclists.org/fulldisclosure/2007/Dec/0004.html
Yes, and until second preimage attacks become an issue, noisebrige.net is safe! I didn't mean to imply that the server was any more vulnerable than the rest of the browser clients that trust MD5 hashed certs. I just found it ironic to be utilizing such crypto on the site, nothing more.
You've done some awesome work, as always, and I appreciate your note. But take a look at my post to FD above, and I think you will conclude that I understand the issue at hand. The fact that you noticed the ability to predict the RapidSSL certificate output, and then tied that significance to a real-world attack possibility, shows great aptitude.
Cheers...
How then are we vulnerable as your blog title "SSL and MD5 researchers prove themselves vulnerable" suggests? :-)
Fair enough ;-) It should perhaps be changed to "...utilizing weak crypto". With MD5 in the shitter, I just presumed you would have been the first to nuke such a cert. I quote CERT here, not that anyone has to listen to them anyway...
http://www.kb.cert.org/vuls/id/836068
"""
Do not use the MD5 algorithm
Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.
"""
Woman says Ubuntu computer kept her from taking online classes
http://www.wkowtv.com/Global/story.asp?S=9667184&nav=menu1362_2
Raj! You bastard ... don't make me break your weak hamachi crypto code ;-P
Actually, I've been waiting for RapidSSL to reissue the cert as they promised. So far they haven't done it. Pretty sad.
Post a Comment