Tuesday, December 30, 2008

Rogue CA certificates through MD5 collisions

| Armando Romeo |
Researchers Sotirov and others, provided practical proof of concept of a well known but till now theoretical threat: MD5 collisions.

Today, At the 25c3 conference in Berlin, it has been shown how possible it is to find a collision with one of the browser-embedded trusted root CA's signatures to build a new rogue CA capable of signing rogue websites certificates. These certificates would then be accepted by the browser advertising a completely secure and reliable connection.

It's the first time that this is put in place and according to authors of research over 100 Play stations 3 have been using to match the collisions.

This successful proof of concept shows that the certificate validation performed by browsers can be subverted and malicious attackers might be able to monitor or tamper with data sent to secure websites. Banking and e-commerce sites are particularly at risk because of the high value of the information secured with HTTPS on those sites. With a rogue CA certificate, attackers would be able to execute practically undetectable phishing attacks against such sites
More on the research can be found here,

Free Security Magazines