MD5 SSL Summary
I would like to quickly summarize the SSL MD5 issue presented at the CCC congress in Berlin today. Let me start with a quick FAQ:
- How bad is it?
Bad. But we will survive. The problem makes it possible to create "perfect" phishing sites with valid SSL certificates. The protocol impacted the most is probably HTTPS. But other protocols that use SSL may be affected as well. - What can I do? What do I have to do?
Not much. This is not a "bug" in your browser. The protocol is not "broken". Just the way it is used by some certificate authorities is broken. If you use SSL for purposes like an SSL VPN, you may be able to limit the number of CAs you trust. The more you can limit it, the better. - Is my SSL certificate "affected"
Maybe. See the vendor bulletins below for more details. It depends on who you got your certificate from. However, even if your certificate uses SHA1, someone could still use a fake MD5 certificate to impersonate your site. - Why switch to SHA1 and not RIPEMD/SHA2...
Well... SHA1 is universally supported by current SSL libraries. SHA2 is still new and not well supported. - What protocols other then HTTPS are affected
Everything that uses SSL. Most notably: SSL VPNs, S-MIME. ssh is not affected.
So what is the problem? The problem is that some certificate authorities use MD5 hases to validate certificates they issue. MD5 hashes have been shown to be weak for a while now, and this is just yet another attack using these known weaknesses. These certificate authorities have to change the way they do business (e.g. they have to use SHA1 hashes). Your browser includes a set of trusted certificate authorities. Sadly, some very popular CAs do use MD5s. Disabling these CAs is not recommended or feasible. The attack is still not easy, but very much possible and not just "theoretical". The researchers uses a cluster of 200 Playstation3 systems, and it took them a couple days. So a resonable size botnet would do it probably faster.
Once you have the fake duplicate CA, you could sign certificates at will and a browser would trust them. This can now be used for MiM (Monkey in the Middle) attacks and to impersonate trusted websites.
Basic "best pratices" still apply. This attack is not a "game changer". Most attack will probably still use bad certificates and ask the user to click "ok" to accept the bad certificate.
So short summary: It is bad, but there isn't much you can or need to do right now. Just stay vigilant and read the vendor announcements below for more details:
Vendor Announcements:
Microsoft:
http://www.microsoft.com/technet/security/advisory/961509.mspx
http://blogs.technet.com/msrc/archive/2008/12/30/information-on-microsoft-security-advisory-961509.aspx
Mozilla:
http://blog.mozilla.com/security/2008/12/30/md5-weaknesses-could-lead-to-certificate-forgery/
(we will add more as we find them)
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
MD5 Considered harmful today - Creating a rogue CA certificate
Rather than paraphrase the content of the presentation made at the CCC, use the following link to read about the gory detail - as provided by the authors themselves:
http://www.win.tue.nl/hashclash/rogue-ca/
UPDATE: A copy of the presentation slide deck is available here:
http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt
UPDATE: Microsoft have issued a Security Advisory (961509) here:
http://www.microsoft.com/technet/security/advisory/961509.mspx
UPDATE: Thanks to reader Juha-Matti for these additional links pertaining to today's annoucement:
Mozilla's Security Blog response:
http://blog.mozilla.com/
Microsoft Security Vulnerability Research & Defense (SVRD) Blog response:
http://blogs.technet.com/swi/
More "Fake AV" Incarnations Making The Rounds
Using obfuscated javascript techniques, more "Fake Anti Virus" malware is continuing to present itself to unsuspecting Internet users - in the hopes of gaining an installation through the use of rather effective, social engineering methods.
Some of the latest incarnations observed in the past 24 hours continue to maintain low levels of AV detection (less than 15% based on VirusTotal analysis), and have removed the tell-tale "TDSS" signature from its rootkit driver names (although 1 AV vendor continues to flag the initial stage malware as Rootkit.Win32.TDSS). Other subsequent stage downloads are getting labeled as Trojan.FakeAlert.AKV and Trojan.Fakealert.MW by a few other AV vendors.
In terms of propagation, getting a "hit" from this malware is as easy as entering a series of search terms on your favorite search engine, and unluckily picking a search result that delivers nothing more than the misleading introductory screen and fake anti-virus pop-up alerts (with their associated "D-level" english grammar). Should you unfortunately find yourself victim to this, remember to not click anywhere on the screen, but instead use "Task Manager - Applications" to terminate the victimized web browser session.
Comments