Technology news and Jobs arrow Information Technology News arrow The Latest MD5 Attack - The Sky Continues to Fall
The Latest MD5 Attack - The Sky Continues to Fall E-mail
by David Heath   
Wednesday, 31 December 2008
Page 2 of 3
This only affects CAs which rely on MD5.  Following warnings from a variety of cryptographers since 1996 that there were potential issues with MD5, many root-level CAs transitioned to SHA-1.

Featured Whitepaper

5 Best Practices for Smartphone Support
In fact, of the 50-odd root-level CAs, only six are affected, and once the authors proved their technique, they immediately advised all of them of the results and suggested they urgently changed their hashing algorithm.  The authors report that all agreed!

So far, perhaps I haven’t explained why this is a BIG PROBLEM.

There are a number of issues, but the biggest is this: undetectable Man-In-The-Middle-Attacks (MITM) on secured (SSL) communication.  To put it simply, in certain situations, the padlock on the browser can no longer be trusted.

Allow me to repeat that.  After everything that EVERY support person has told EVERY user, the padlock can no longer be trusted.

Blaspheming at this point is appropriate. 

HOLY CR*P!!!

More importantly, we have no idea if Sotirov and his fellow researchers were the first to identify the problem.  No idea at all.  And no way of finding out.

Further, this isn’t a problem with the browser – it cannot be fixed by Microsoft or Firefox or anyone else; it’s fundamental to the way things work.

Further still, most browsers have no way to revoke existing certificates.  Under all versions of Internet Explorer prior to v7 and Firefox prior to v3, certificate revocation was disabled by default.  IE v7 and Firefox v3 rely on the certificate to include a revocation URL.  Yeah, right, Sotirov's one certainly doesn't!

This gets bigger.  Allow me to quote from the presentation paper: “Another interesting scenario is that our result opens possibilities for Denial of Service attacks on existing Certification Authorities. If an attacker wants to have somebody's certificate revoked (e.g. of a competing web shop), he can use our techniques to obtain a rogue certificate from the same Certification Authority, which has the same serial number as the target certificate. As soon as this rogue certificate gets published, the Certification Authority has no choice but to revoke it. Since revocation happens only on the basis of the serial number of the certificate, at the same time the legitimate certificate of the victim will be revoked. This attack will become extremely powerful if the root certificate of the Certification Authority is targeted. An attacker can thus force revocation of this root certificate, and with that of the entire certificate tree depending on it.”

Double HOLY CR*P.

I said on the first page that I’d explain why the Internet isn’t necessarily seriously broken - which I’ve done on this page, as only 6 of 50 CAs are directly affected.  I also said I’d explain why it still is seriously broken.


<< First page <   1 2 3 Next page > Last page - Post your comment >>
 
< Next story in category   Previous story in the category >
iTWire user statistics Visitors last 30 days
 694,279
Subscribers 15,210
#1 independent technology news advertise here
  •   *  
  • Search
  • AdvSeach
  • Login
  • Events
  • FreeStuff

- Advertisement -

Featured Whitepapers

...More

Today on iTWireToday on iTWire

Latest news
Follow iTWire on Twitter

About iTWire

iTWire is all about technology news, information, jobs and community for the IT and telecommunications industry professional. Subscribe to our free ICT daily newsletter

iTWire and you

Contact , Register , Links , About iTWire , Feedback , Post your jobs , Events , iTWire site map , Start Blogging , MyBlogLog page , Advertise with iTWire , Subscribe to SMS headlines , White Papers