Blog: Experts Uncover Weakness in Internet Security

Experts Uncover Weakness in Internet Security
Ecole Polytechnique Federale de Lausanne (12/30/08) Luy, Florence

Security researchers in Europe and California have discovered a vulnerability in the Internet digital certificate infrastructure that could allow attackers to forge certificates that are trusted by all common Web browsers. The weakness makes it possible to impersonate secure Web sites and email servers to perform undetectable phishing attacks. Whenever a small padlock appears in a browser window, the Web site being visited is secured using a digital certificate from a Certification Authority (CA). To ensure the certificate is authentic, the browser verifies the signature using cryptographic algorithms. The researchers discovered that one of these algorithms, known as MD5, can be misused. The first known flaw in the MD5 algorithm was presented in 2004 at the annual Crypto cryptography conference by Chinese researchers, who performed a collision attack and created two different messages with the same digital signature. The initial attack was severely limited, but a much stronger collision attack has been found by the European and California researchers. The new method proves it is possible to create a rogue CA that is trusted by all major Web browsers. A rogue CA, combined with a known vulnerability in the Domain Name System protocol, could allow attackers to launch virtually undetectable phishing attacks. The researchers say MD5 can no longer be trusted as a secure cryptographic algorithm for use in digital signatures and certificates. Arjen Lenstra, head of EPFL's Laboratory for Cryptologic Algorithms, says the developers of the major Internet browsers have been informed of the vulnerability.

View Full Article