w00t
I guess a firefox patch adding an option to reject the weak certificates might be a fun thing..
Researchers have uncovered a weakness in the internet's digital certificate system that allows them to forge counterfeit credentials needed to impersonate virtually any website that relies on the widely used security measure. Armed with more than 200 PlayStation 3 game consoles, the researchers are able to create a secure …
A cluster of PCs using modern graphics cards could come close (maybe even be faster, depending on the algorithm I guess).
Given that it's now been proven that these authorities can be faked relatively easily (the price of 200 PS3s is nothing compared to the potential gains from fraud) then the authorities using MD5 certificates should be immediately deleted from the list valid authorities in all browsers. That's the simplest patch - in fact the user could do it themselves if el reg had had the guts to print the names.
While collisions in MD5 are not exactly news, its practical application to break PKI is big news. And it can be repeated, as 200 game consoles is not that big expense. I really do hope that root certificates of those CA still using MD5 will be promptly removed from all the leading browsers.
Er..... All the games companies should be worried about this.
Surely if the clustered PS3 environment is able to crack ssl certs then possibly if they turned it on the AES encryption on the files contained on the Wii/Xbox360/PS3 games they would be able to sign, and subsequently boot, whatever they liked......
"oh, yeas.. the PS3 is the worst of the consoles then?? :p
Id like to see a wii cluster do that!!! or see how many Xbox360's would still be running after being left on longenough to do that!!"
Right on, I think you could try for the world record of RROD's within a 50ft vicinity!
No console can compete with the PS3, technologically speaking
I don't think the list has been published, but if you view the certificate details you can see what the certificate signature algorithm is. I checked a couple of certs ... one provided by "Equifax Secure Global eBusiness CA-1" (issued by RapidSSL) was MD5 signed, one provided by "Verisign Class 3 Secure Server CA" was SHA-1.
Mind you, that's a sample of 2 certs ... I'm not implying anything at all about Equifax or Verisign as a whole!!!
More details here http://www.win.tue.nl/hashclash/rogue-ca/ - even lists some MD5 only CAs. Why though am I not surprised that Equifax (RapidSSL) are at the top of the list with 97% of certs found being issued by them - buy cheap - get cheap.
The others are surprising though, I suspect legacy reasons.
An easy kill for Rapid SSL cert on my machine.
Actually, the list of CAs still using some MD5-signed certificates is easily found in the pdf of the talk on the CCC website: RapidSSL (who issued 97% of the MD5-using certificates the team found), FreeSSL, TrustCenter, RSA Data Security, Thawte, verisign.co.jp
http://events.ccc.de/congress/2008/Fahrplan/attachments/1251_md5-collisions-1.0.pdf
"A cluster of PCs using modern graphics cards could come close"
And would cost..? The PS3 appears to provide more raw number-crunching bang for your buck than anything currently available, which is probably why each one loses Sony money (who must be a tad worried that so many are ending up in the hands of non-gamers!)
Networking4all created a tool to check if a certificate in the chain has been signed with a insecure algorithm
Example:
https://www.networking4all.com/en/support/tools/site+check/?fqdn=www.verisign.com
You can check all sites on:
https://www.networking4all.com/en/support/tools/site+check/
"certificate authorities, which are appointed organizations that validate the authenticity of websites used for banking and other sensitive online activities"
Appointed? by whom? Trusted maybe - but nobody appointed Verisign et al. The majority of Certificate Authorities are only such ("authorities") because we accept their self-signed certificates (Or Microsoft and other browser producers accept them on our behalf). Not that their self-appointed status makes any difference to the fact that MD5 has been broken for several years and that even the much maligned Vista has changed all the MD5 options in its firewall settings to "not recommended". So it is rather alarming if MD5 signed certificates are being issued by any major CA or automatically treated as trusted by any browser or OS.
They did certainly name the insecure CAs:
• We collected 30,000 website certificates
○ 9,000 of them were signed with MD5
○ 97% of those were issued by RapidSSL
• CAs still using MD5 in 2008:
○ RapidSSL
○ FreeSSL
○ TrustCenter
○ RSA Data Security
○ Thawte
○ verisign.co.jp
So anything touched by RapidSSL is out, then. Shame. Buhbye, RabidSSL, you will not be missed.
The Wii, 360 and PS3 ALL use IBM chips. The Wii uses a PPC, the 360 a conventional POWER multicore and the PS3 the Cell POWER. In all odds, they were looking for floating-point performance, in which case only the Cell chip would do(hell, that chip was created just for FLOPs).
Anyway, stop complaining. The real winner in this round of the console wars is Big Blue.
The list of affected CAs can be found at http://www.win.tue.nl/hashclash/rogue-ca/ in section 5.1, reproduced here for convenience:-
RapidSSL
C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1
FreeSSL (free trial certificates offered by RapidSSL)
C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications
TC TrustCenter AG
C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/emailAddress=certificate@trustcenter.de
RSA Data Security
C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
Thawte
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
verisign.co.jp
O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Just open up the Trusted Root Certificate List in your browser (firefox of course 8-) and look at the Certificate Signing Algorithm and if it says "PKCS #1 MD5 With RSA Encryption" instead of "PKCS #1 SHA-1 With RSA Encryption" (or SHA-2) then you can Edit the properties and turn off the trust settings or delete the whole CA root certificate. That should keep you safe for the time being 8-)
Yes it does look like the Equifax CA-1 root certs are signed with MD5.
Some of the Verisign certs are signed with MD2 .. these look like older CAs.
"I don't think it's much of a shock that some certificates approved by Equifax might be worthless - who do you think signed off on the credit approval for all those mortgages that went south?"
Think the point is using a "Gold Plated" CA for your own certs does not give you any additional protection against this attack. Its the client that needs updating,
>"Here's some more on the situation - comment #7 mentions a few names."
No, that's a different problem altogether. In that case, the CA was issuing certificates without checking who they were issuing to was actually the owner of the domain they were issuing a certificate for. Nothing was forged, there was no crypto break involved and the bogus cert could have used any hash algorithm, not just md5.
What are people commenting on here? Apart from the usual PS3 fanboy eruptions, we have claims that SSL is broken and verbal attacks against this or that certification authority. WTF?
Ok, let's make things precise:
- SSL/TLS is NOT broken. It is not even involved.If you don't use certificates, no problem
- Certification of public keys, however is holed below the waterline:
-- you find a pair (public key 1, distinguished name 1 , certificate authority = true) and (public key 2, distinguished name 2, certificate authority = false) which hashes to the same MD5 value. This has been done using lots of processors which happen to be PS3 Cell chips. So who cares.
-- you find a certification authority which still uses MD5 as hashing algorithm, i.e. which still has
"default_md = md5" in its openssl.cnf file in spite of CAN-2005-2946.
-- you submit (public key 2, distinguished name 2, certificate authority = false) to your slowpoke certification authority for signature.
-- you set up a webserver for bank0famerica.com, apparently signed by slowpoke certification authority by making good use of (public key 1, distinguished name 1 , certificate authority = true) in the certification chain
-- profit!
Signature algorithms can be found listed for example here:
http://bouncycastle.gva.es/www.bouncycastle.org/docs/docs1.4/org/bouncycastle/jce/provider/JDKDigestSignature.MD5WithRSAEncryption.html
"SSL/TLS is NOT broken" - indirectly it is. Or I think so, as I always assumed that SSL is based on PKI and supports certificate chains. If so, how user (directed to malicious host through other means, like poisoned DNS owned by an ISP) can know whether he is connected to "right" or "wrong" address, given that certificate chain in both cases will be valid and start with trusted root CA?
Yeah this would be very easy to do on a PS3 - heck you install linux on it and still have it boot back to it's original os simple enough and well I've seen the sort of crunch power a mere 8 of these can do, it's the fact it is indeed as previously stated CELL powered, anything remotely needing poweful FP computation gets eaten alive by this console...
I'd love to see a PC with a CPU / GPU combo that could out perform the PS3 for the same cost...
But I mean there was a whole project much like SETI to show how weak the MD5 system was it took a while but it was done and dusted but this was using pc's running at < 2Ghz...
Hm... now I am more inclined on learning to use the Cell's SPEs. Basically that's the reason I installed Linux on my PS3.
The funny thing is that this news was given to me by a friend saying "OMGWTFBBQ! SSL 0WNED!" when in fact only the md5 certs were "cracked". But then again, the site reporting the news put "SSL CRACKED BY 200 PS3'S" as the headline.