A group of researchers were recently able to subvert the public key infrastructure used by common web browsers using an MD5 hash collision. The MD5 hash algorithm was proven vulnerable to collisions some time ago, but this is a huge real-world example of the problem being exploited with serious potential consequences.
The best part of this whole story is that the bulk of the work was done over a weekend using a supercomputer made out of 200 PS3s.
The team was able to create a rogue certificate authority certificate that had the same MD5 signature as a legitimately signed certificate. This would allow an attacker to create any number of fake SSL certificates and perform a man in the middle attack on any HTTPS site.
As a result of this successfull attack, we are currently in possession of a rogue Certification Authority certificate. This certificate will be accepted as valid and trusted by all common browsers, because it appears to be signed by one of the root CAs that browsers trust by default. In turn, any website certificate signed by our rogue CA will be trusted as well. If an unsuspecting user is a victim of a man-in-the-middle attack using such a certificate, they will be assured that the connection is secure through all common security indicators: a “https://” url in the address bar, a closed padlock and messages such as “This certificate is OK” if they chose to inspect the certificate.
This successful proof of concept shows that the certificate validation performed by browsers can be subverted and malicious attackers might be able to monitor or tamper with data sent to secure websites. Banking and e-commerce sites are particularly at risk because of the high value of the information secured with HTTPS on those sites. With a rogue CA certificate, attackers would be able to execute practically undetectable phishing attacks against such sites.
It appears that with the announcement of the vulnerability, the problem is quickly being dealt with. Verisign has discontinued using MD5-hashed certificates and will replace any MD5 signed certs for free. Even the US Department of Homeland Security’s Computer Emergency Readiness Team chimed in:
Do not use the MD5 algorithm
Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.
Call me paranoid, but this makes me wonder who else may have had their hands on this exploit and for how long.