News & Product Reviews for Tech Leaders

Top Tech News

Network Security

Researchers Show ‘Secure’ Sites May Not Be Safe

by Editorial Staff

U.S. and European researchers have demonstrated that digital certificates using the MD5 algorithm can be faked. While some https sites are moving away from MD5, virtually all browsers still accept those “secure” certificates. The researchers used a cluster of Sony PlayStation 3s to create certificates in three days instead of an estimated 30 years.

 The small image of a padlock in the corner of your browser may not accurately indicate that a Web-site connection is secure , according to new research. A team of U.S. and European researchers used a computing grid of more than 200 Sony PlayStation 3 video-game machines to create fake certificates and fool a browser into thinking it had a secure connection with a trusted site.
A EU Collision Attack
Researchers from California, teams from the Centrum Wiskunde & Informatica (CWI) and Eindhoven University of Technology in the Netherlands, and teams from the Ecole Polytechnique Federal de Lausanne (EPFL) in Switzerland presented a paper Tuesday at the 25C3 security congress in Berlin. They showed that they were able to generate two messages with one digital  signature, similar to the process of an older digital-certificate system, using an algorithm called MD5.A user who visits a Web site whose URL begins with https usually sees a locked padlock in a browser corner, indicating that the site employs a digital certificate issued by one of several trusted certificate authorities. The browser verifies the certificate, using one of several algorithms, including, for some sites, MD5.The MD5 digital-certificate system is still in use by many sites, and could enable third parties to create fake certificates and fool a browser into thinking it was visiting a secure site. A more modern and secure digital-certificate system is used by many sites.The vulnerability was first identified four years ago by Chinese researchers, who had created a collision attack by generating two different messages with the same digital signature. But the amount of computing power needed to generate a fake certificate was considered a huge obstacle to anyone attempting to take advantage. By one estimation at the time, a desktop  computer  would need more than 30 years to generate such a fake certificate.But the paper presented in Berlin demonstrated that the researchers, using PS3s in a cluster, were able to generate two fake certificates with the same digital signature in only three days.

Ending the Use of MD5
Security experts had mixed responses. Bruce Schneier, chief security technology  officer for British Telecom, told The New York Times that most people don’t rely on digital certificates. When was the last time you checked your browser certificates to make sure they’re good, he asked.But other security researchers have suggested that the research could have an enormous impact, affecting virtually every browser as well as e-mail, chat servers, and online collaboration. Although only some sites use the older digital certificates, all browsers will accept them.Using this weakness, for instance, it would be possible to set up virtually undetectable phishing sites that a browser identifies as trusted and secure.Arjen Lensa, head of EPFL’s Laboratory for Cryptologic Algorithms, said the major browser makers, such as Mozilla and Microsoft, have been informed of the vulnerability.The immediate goal of the research is to end the use of the MD5 algorithm, which is still being used by some certificate authorities. CWI cryptanalyst Marc Stevens said it’s imperative to migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard.

Leave a Comment

INSIDE TOP TECH NEWS

TECH TRENDS

NETWORK SECURITY

CLOUD COMPUTING

HARDWARE

APPLICATIONS

CONTRIBUTED CONTENT

MICROSOFT/WINDOWS

BIG DATA

APPLE/MAC

MOBILE TECH

WORLD WIDE WEB

AUTOMOTIVE TECH

CRM SYSTEMS

GOVERNMENT

CHIPS & PROCESSORS

PERSONAL TECH

NETWORK SITES

CIO TODAY

TOP TECH NEWS

MOBILE TECH TODAY

DATA STORAGE TODAY

NEWSFACTOR

ENTERPRISE SECURITY TODAY

SCI-TECH TODAY

CRM DAILY

ABOUT OUR NETWORK

SERVICES

FREE NEWSLETTERS

ARTICLE REPRINTS

CONTACT US

PRIVACY POLICY

TERMS OF SERVICE

BENEFITS

ADVERTISE WITH US

PUBLIC RELATIONS (PR) SERVICES(In Partnership with NewsFactor)

SEO SERVICES

SPONSORED CONTENT SERVICES

News & Product Reviews for Tech Leaders

Copyright 2024 CIO Today Network. All rights reserved. Member of Accuserve Ad Network.