The hack of the moment is Sotirov, Appelbaum and company’s “MD5 considered harmful today.” While this hack is both interesting and impressive there are far easier ways of obtaining SSL certificates which validate perfectly in a modern web browser. Eddy Nigg from StartCom found a Comodo registration authority named Certstar which would issue certificates without any authentication. As a test he was able to obtain a valid certificate for mozilla.com. Had he been malicious, he could have gotten a certificate for any domain he wanted using this flaw. Amusing side note: StartCom’s authentication system was bypassed around the same time. Mike Zusman was able to issue himself a certificate for verisign.com by exploiting a bug in StartSSL’s domain validation mechanism.

Both companies claim they have resolved their authentication problems but it demonstrates a fundamental problem with SSL: You are only as safe as the weakest certification authority that you trust. If any one of them fails to authenticate their users the entire system breaks down. Extended Validation certificates are one answer to this problem. To be issued an EV cert you must go through a rigorous check to prove you are who you say you are, and that you are authorized to receive a EV cert for the website you are requesting a cert for. EV guidelines also forbid the use of MD5 which protects them from Sotirov’s attack. Web browser creators are aware of the shortcomings with respect to various CAs. If one is proven to be untrustworthy it can be removed from a browser’s list of trusted roots. Inclusion in this list of trusted roots prevents browsers from popping up a warning message when these certificates are encountered. CAs sell trust. If they lose that they have nothing to sell. Hopefully the threat of lost revenue will force all CAs to take a good hard look at the mechanisms they rely upon to obtain our trust.

This entry was posted on Tuesday, January 13th, 2009 at 12:58 pm.

Share This Link with Others| Who Needs 200 PlayStations When All You Have To Do Is Ask? SlashDot | del.ico.us | Digg it | Technorati | Reddit |

Other SecureWorks Blog Categories: Events (1) General (27) Links (7) Phishing (3) Research (90) Spam (1) Trojans (5)