200 PS3s Break VeriSign's SSL
Source: Tom's Guide US | Keywords: Sony, PlayStation, PS3, VeriSign, SSL
Now more than ever, shopping over the internet is second nature for many in first world countries. From Amazon to buy.com to eBay, millions of dollars are transferred electronically every day between buyer and seller.
With such massive amounts of consumer activity online, technology like VeriSign's Secure Socket Layer (SSL), help keep honest shoppers safe from the perils of phishing attacks and fraud. With SSL software, and a little bit of internet savvy, one can keep themselves and their bank accounts safe from fraudulent websites.
That was, up until today. While I wouldn't go sounding the doomsday alarms just yet, an international team of internet security experts managed to hack SSL.
The actual feat was the breaking of one of the MD5 algorithms used in issuing security certificates for websites. Security certificates are used to confirm that a website is legitimate and not an attempt to mislead the visitor. Once the team broke though the algorithm, they were able to hack into the RapidSSL.com website. After this, the team was able to produce false security certificates that had identical MD5 hash values as legitimate certificates.
According to the report, "the team that did the research work included independent researchers Jacob Appelbaum and Alexander Sotirov, as well as computer scientists from the Centrum Wiskunde&Informatica, the Ecole Polytechnique Federale de Lausanne, the Eindhoven University of Technology and the University of California, Berkeley." As of the original story, the team was set to show off their accomplishments at the Chaos Communication Congress in Berlin.
While the findings are certainly a feat, and a frightening one at that, the team responsible along with companies like Microsoft have downplayed the vulnerability. "This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information," said Microsoft. So, assuming the detrimental information stays out of the wrong hands, we are all safe.
Despite downplaying the severity of the hack, one team member made a point of saying internet security needs to change. "It's a wake-up call for anyone still using MD5," said David Molnar, a team member and Berkeley graduate student. Tim Callan, VeriSign's vice president of product marketing, said RapidSSL.com will stop issuing MD5-based digital certificates by the end of January and is atempting to get its customers onto newer security products.
-
Previous News Article
30GB Zunes Right Themselves -
Next News Article
You Overpay for SMS Messages
Wow....amazing.
and it only took over $80,000 to do it..
^ Still. $80k is pretty cheap considering that you can make ~$100k easily selling fake certs.
^exactly, it's all about who's willing to pay for fake certificates.
microsuxx still faithful to it's corporate spin - security by obscurity - but this "security" model is proven to fail all over again, the unknown been when it'll be defeated, not if.
I have to wonder tho. Remember when 40bit SSL certs was safe until somebody at distributed.net cracked it in 3 days then everybody switched it to 128bit certs? It cost money and time to make the switch.
So have to wonder, is this some kind of a scheme to scare people into "OMG" and force everybody to update their SSL certs?
Attempting to crack security products aren't new, just when they get the media involved people start to panic.
computing security is a balancing act.
that might be dangerous but ssl is not the only security precaution on the internet.
the issue here is that they AREN'T 'fake certs'. they hacked the site and started creating cryptographically IDENTICAL certs. A hash is a hash folks.
That's like someone coming up with a way to make clones of diamonds that come out 100% correct on a molecular level, and then calling the clones fake.
If the chemist can't tell and the jeweler can't tell and it cuts the other damn diamond...WHO CARES.
Same with these certs.
Even if the CA finds the issue and removes the certs from their records, it's STILL a cryptographically valid cert.
If you were to re-buy the cert...this time legit...the hash would still be the same. I bet you wouldn't even have to re-install the old, supposedly fake, certificates.
Nekatreven:
redirected site + fake cert = illegal $$$
Get it?
Of course I get what can be done with it. That's not hard.
At first I did think this referred to generating certs that never existed before. I suppose it refers to making copies of existing ones. That doesn't really matter either way though.
Even in trying to explain it to me...you just called the cert fake. If it was fake, the victim's browser would not accept it.
A 'copied cert' or a 'stolen cert' perhaps, but if the hashes match, it isn't fake. I don't really think people are grasping that concept.
Like if I had a program that generated duplicates of valid nuclear launch codes...you'd call them fake. That's dangerous.
"...and as the missile boar down upon them they thought to themselves, 'hey maybe fake was the wrong choice of wording here.'..."
This obviously isn't as dire as nuclear warheads, but I still think it is very unwise to call these certs fake. I guess for now I should just be happy they are phasing out md5.