RapidSSL CA Digital ID hacked

MD5 encryption to blame.

Published Wed, Dec 31 2008 11:00 AM CST   |   Updated Tue, Nov 3 2020 12:37 PM CST
There is bad news for people that use online banking and shopping (which is most of us). Security experts have discovered that there is a fairly easy way to mimic the digital ID for CA authority sites.

A multinational team was able to mimic the Digital ID for RapidSSL. RapidSSL still used the MD5 method of encrypting its Digital Certificates. MD5 is an older encryption standard and has a more than a few known weaknesses. This enabled them to generate fake certificates signed with the false ID.

The exploit play off of a weakness in just about all internet browsers.
Every OS and Browser has a list of Trusted Certificate Authorities also called CAs. If anyone of these is compromised or can be successfully emulated your browser and OS will happily accept any certificate supplied by the fake Digital ID. You won't even know it is happening as the browser is set to trust these CAs automatically.

Read more at Washington Post.

RapidSSL CA Digital ID hacked

The problem, the researchers realized, is that RapidSSL and a few other CAs still sign their digital certificates using a cryptographic method, called MD5, that suffers from known weaknesses. Combining recent and new research about ways to exploit those weaknesses with a homegrown, massive array of number-crunching machines (which included networking together about 200 PlayStation 3 gaming consoles), the team was able to reproduce a virtual clone of the digital signature RapidSSL uses to sign SSL certificates.

Armed with those credentials, an attacker who had seized control over a large network, for example, could intercept all requests for users trying to visit a specific e-commerce or banking Web site. The attacker could then redirect the user to a counterfeit version of the site designed to steal the user's credentials. All the while, the user may never know the difference, because the attacker would have presented the victim's Web browser with an SSL certificate, which was signed by an approved CA.

"Signing certs with MD5 in 2008 is negligent," said Jacob Appelbaum, one of the team members and a researcher with the Tor Project, a free online anonymity technology. "The problem is that we trust these CA companies, and maybe we shouldn't."

Newsletter Subscription

Related Tags

Newsletter Subscription
Latest News
View More News
Latest Reviews
View More Reviews
Latest Articles
View More Articles