Network Security

Researchers Show ‘Secure’ Sites May Not Be Safe

By Mark McDonnell

U.S. and European researchers have demonstrated that digital certificates using the MD5 algorithm can be faked. While some https sites are moving away from MD5, virtually all browsers still accept those “secure” certificates. The researchers used a cluster of Sony PlayStation 3s to create certificates in three days instead of an estimated 30 years.

 The small image of a padlock in the corner of your browser may not accurately indicate that a Web-site connection is secure , according to new research. A team of U.S. and European researchers used a computing grid of more than 200 Sony PlayStation 3 video-game machines to create fake certificates and fool a browser into thinking it had a secure connection with a trusted site.
A EU Collision Attack
Researchers from California, teams from the Centrum Wiskunde & Informatica (CWI) and Eindhoven University of Technology in the Netherlands, and teams from the Ecole Polytechnique Federal de Lausanne (EPFL) in Switzerland presented a paper Tuesday at the 25C3 security congress in Berlin. They showed that they were able to generate two messages with one digital  signature, similar to the process of an older digital-certificate system, using an algorithm called MD5.A user who visits a Web site whose URL begins with https usually sees a locked padlock in a browser corner, indicating that the site employs a digital certificate issued by one of several trusted certificate authorities. The browser verifies the certificate, using one of several algorithms, including, for some sites, MD5.The MD5 digital-certificate system is still in use by many sites, and could enable third parties to create fake certificates and fool a browser into thinking it was visiting a secure site. A more modern and secure digital-certificate system is used by many sites.The vulnerability was first identified four years ago by Chinese researchers, who had created a collision attack by generating two different messages with the same digital signature. But the amount of computing power needed to generate a fake certificate was considered a huge obstacle to anyone attempting to take advantage. By one estimation at the time, a desktop  computer  would need more than 30 years to generate such a fake certificate.But the paper presented in Berlin demonstrated that the researchers, using PS3s in a cluster, were able to generate two fake certificates with the same digital signature in only three days.

Ending the Use of MD5
Security experts had mixed responses. Bruce Schneier, chief security technology  officer for British Telecom, told The New York Times that most people don’t rely on digital certificates. When was the last time you checked your browser certificates to make sure they’re good, he asked.But other security researchers have suggested that the research could have an enormous impact, affecting virtually every browser as well as e-mail, chat servers, and online collaboration. Although only some sites use the older digital certificates, all browsers will accept them.Using this weakness, for instance, it would be possible to set up virtually undetectable phishing sites that a browser identifies as trusted and secure.Arjen Lensa, head of EPFL’s Laboratory for Cryptologic Algorithms, said the major browser makers, such as Mozilla and Microsoft, have been informed of the vulnerability.The immediate goal of the research is to end the use of the MD5 algorithm, which is still being used by some certificate authorities. CWI cryptanalyst Marc Stevens said it’s imperative to migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard.

Mark McDonnell

Mark McDonnell is a seasoned technology writer with over 10 years of experience covering a wide range of tech topics, including tech trends, network security, cloud computing, CRM systems, and more. With a strong background in IT and a passion for staying ahead of industry developments, Mark delivers in-depth, well-researched articles that provide valuable insights for businesses and tech enthusiasts alike. His work has been featured in leading tech publications, and he continuously works to stay at the forefront of innovation, ensuring readers receive the most accurate and actionable information. Mark holds a degree in Computer Science and multiple certifications in cybersecurity and cloud infrastructure, and he is committed to producing content that reflects the highest standards of expertise and trustworthiness.

Leave a Comment