TweakTown
Tech content trusted by users in North America and around the world
6,252 Reviews & Articles | 40,822 News Posts
TRENDING NOW: Sony teases PlayStation 5 could be a cloud-based console

RapidSSL CA Digital ID hacked

MD5 encryption to blame.

| Posted: Dec 31, 2008 5:00 pm

There is bad news for people that use online banking and shopping (which is most of us). Security experts have discovered that there is a fairly easy way to mimic the digital ID for CA authority sites.

 

A multinational team was able to mimic the Digital ID for RapidSSL. RapidSSL still used the MD5 method of encrypting its Digital Certificates. MD5 is an older encryption standard and has a more than a few known weaknesses. This enabled them to generate fake certificates signed with the false ID.

 

The exploit play off of a weakness in just about all internet browsers.
Every OS and Browser has a list of Trusted Certificate Authorities also called CAs. If anyone of these is compromised or can be successfully emulated your browser and OS will happily accept any certificate supplied by the fake Digital ID. You won't even know it is happening as the browser is set to trust these CAs automatically.

 

Read more at Washington Post.

 

RapidSSL CA Digital ID hacked

The problem, the researchers realized, is that RapidSSL and a few other CAs still sign their digital certificates using a cryptographic method, called MD5, that suffers from known weaknesses. Combining recent and new research about ways to exploit those weaknesses with a homegrown, massive array of number-crunching machines (which included networking together about 200 PlayStation 3 gaming consoles), the team was able to reproduce a virtual clone of the digital signature RapidSSL uses to sign SSL certificates.

 

Armed with those credentials, an attacker who had seized control over a large network, for example, could intercept all requests for users trying to visit a specific e-commerce or banking Web site. The attacker could then redirect the user to a counterfeit version of the site designed to steal the user's credentials. All the while, the user may never know the difference, because the attacker would have presented the victim's Web browser with an SSL certificate, which was signed by an approved CA.

 

"Signing certs with MD5 in 2008 is negligent," said Jacob Appelbaum, one of the team members and a researcher with the Tor Project, a free online anonymity technology. "The problem is that we trust these CA companies, and maybe we shouldn't."

 

Related Tags

Further Reading: Read and find more news at our news index page.

Do you get our news RSS feed? Get It!

Got an opinion on this news? Post a comment below!

Latest News Posts

View More News Posts

Forum Activity

View More Forum Posts

Press Releases

View More Press Releases