If you haven’t heard yet, a practical attack on the X.509 infrastructure using MD5 hashes has been demonstrated at the Chaos Communication Congress (CCC) today.

The basic gist of the attack is that a “normal” certificate is issued from a well-known and trusted CA (in this case “Equifax Secure Global eBusiness CA-1”) and then use the “magic” of MD5 hashing to create a certificate that collides with the “real” one, but just happens to be a CA. This CA can then issue certificates as they please, and your browser will trust them, no questions asked.

The details are a bit more in depth, and unless you study cryptography, you will find rather boring and dry. However, MD5 hashes have been known to collide in X.509 certificates since 2005, and this paper just takes it a step further and shows how bad this really is. The attack requires a little bit of money (to buy certificates) and some statistics on how the CA operates (how soon certs are issued, what the “next” serial number will be). Then a knowledge of how to collide MD5 hashes is used to create a new certificate – with the CA basic constraint set to “true”. Suddenly, you have a CA certificate that is trusted by all of the major browsers.

What does this mean for “normal” people? It means that an attacker can now create a site that looks just like your bank’s but takes your username and password, and your browser isn’t going to complain about it. You’ll have a lock, or a yellow location bar, or whatever your browser uses to indicate that the site is “trusted” and “secure”. However, you’ll be giving your username and password to the attacker.

What can you do about it? Immediately, remove the Equifax Secure Global eBusiness CA-1 from the list of trusted CAs – I’ve provided links below for how to do that on various systems and browsers. However, that is certainly not the only CA that is vulnerable, just the one that’s been proven to be vulnerable. There are several CAs listed in the linked paper that issue MD5 certificates – stop trusting them too. In the long run, the CAs have to fix themselves and stop using MD5 hashes in certificates. SHA-1 is better, and SHA-256 is best (good luck finding a CA that issues only SHA-256 hash certificates).

How to distrust CAs:

  • OS X – Keychain. Double-click the CA in X509Anchors (Tiger) or System Roots (Leopard) and under Trust, select “Never Trust”.
  • Firefox – The instructions are for the Comodo certificate, but it’s the same thing.
  • Internet Explorer (and anything that uses MS CAPI, like Outlook).

9 thoughts on “MD5 is really seriously broken this time

  1. nm23728 says:

    deleting one at a time will help only so little – CRL’s have to be published, regularly, and easy enough for normal users of IE, FF, SAF, OP etc
    also NEVER set an expiry date to 20 years in the future! i would review every algorithm after a few years anyways

  2. katie says:

    So, I want to go to https://feedback.shmoocon.org but I see that their cert was issued by Equifax Secure Global eBusiness CA-1. I see that the cert has both an MD5 fingerprint and a SHA1 fingerprint. Does the SHA1 fingerprint mean I can trust this cert? I.e., does it in some sense override the collision vulnerability of the MD5 fingerprint?

  3. The fingerprint of the certificate is not the same as the hash located inside of the certificate. The fingerprint is just a way for you to verify the entire certificate. In this particular case (if the certificate is not valid), the fingerprint will not match the “real” certificate, but you’d have to find someone at the CA who would go into the certificate data base (if they keep it – they usually do) to check for the matching fingerprint. Your browser is computing that hash for you. It’s not terribly useful unless you know the owner of the CA (especially in the case of self-signed certificates).

  4. KR says:

    On December 30, 2008 at the Chaos Communication Congress in Berlin, three researchers presented a paper in which they had used an MD5 collision attack and substantial computing firepower to create a false SSL Certificate using the RapidSSL brand of certificates.
    VeriSign are happy to announce that this attack articulated was rendered ineffective for all SSL Certificates available from VeriSign by 11am PST of the same day.

    End all is:
    This vulnerabilty no longer exists.

  5. As of that morning, all new attacks were stopped. The weaknesses in MD5 that allowed this attack have been known since 2005, and just because this group of researchers was the first to publicize it does not mean that there are not other rogue CAs in existence. So yes, the vulnerability can no longer be exploited. But if it was ever exploited in the past, there’s still risk to anyone who depends on the RapidSSL CA.

  6. Tom Scheetz says:

    I have used equifax in the past and found the service to be quite good. Most of the credit rating services are fairly similar eitherway

Comments are closed.