A team of security researchers using a cluster of PlayStation 3s has created an attack that can spoof SSL certificates that use the MD5 algorithm to generate signing keys, including RapidSSL certificates issued by VeriSign. Details of the attack have been published by security researcher Alexander Sotirov and described in a blog post by Kevin Poulsen at Wired.
"As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers," Sotirov writes. "This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol."
This is a scary-looking attack, and will drive the final nail in the coffin of the use of MD5 in SSL certificates. But it remains difficult to execute, requiring up to two days of data-crunching on the PS3 cluster, which equates to 8,000 desktop cores. The fear is that this kind of computing capacity is not as difficult to acquire as it used to be.
The weaknesses in MD5 that allowed this attack have been known for years, and many SSL authorities have since switched to sturdier algorithms to secure their certificates.
VeriSign says it already planned to discontinue the use of MD5 in new certificates. Late today VeriSign's Tim Callan said that the company had "resolved" the threat posed by the MD5 attack. "I'm happy to announce that this attack articulated this morning has been rendered ineffective for all SSL Certificates available from VeriSign," Tim writes.
Callan did not offer details on precisely how the attack had been prevented. THe WIres blog item noted that "the researchers expect that their forged CA certificate will be revoked by Verisign following their talk, rendering it powerless."
The researchers have briefed the security teams at Microsoft and Firefox about the potential hazards to web surfers, and say they have no plans to disclose their code.
The bottom line: "Stop using MD5 as soon as possible, and migrate to more secure cryptographic hash functions," the researchers write. In the meantime, "digital certificates legitimately obtained from all CAs can be believed to be secure and trusted, even if they were signed with MD5. Our method required the purchase of a specially crafted digital certificate from a CA and does not affect certificates issued to any other regular website."
See additional coverage and commentary from the New York Times, Ed Felten, CNet and ZDNet.