A multinational team was able to mimic the Digital ID for RapidSSL. RapidSSL still used the MD5 method of encrypting its Digital Certificates. MD5 is an older encryption standard and has a more than a few known weaknesses. This enabled them to generate fake certificates signed with the false ID.
The exploit play off of a weakness in just about all internet browsers.
Every OS and Browser has a list of Trusted Certificate Authorities also called CAs. If anyone of these is compromised or can be successfully emulated your browser and OS will happily accept any certificate supplied by the fake Digital ID. You won't even know it is happening as the browser is set to trust these CAs automatically.
Read more at Washington Post.
The problem, the researchers realized, is that RapidSSL and a few other CAs still sign their digital certificates using a cryptographic method, called MD5, that suffers from known weaknesses. Combining recent and new research about ways to exploit those weaknesses with a homegrown, massive array of number-crunching machines (which included networking together about 200 PlayStation 3 gaming consoles), the team was able to reproduce a virtual clone of the digital signature RapidSSL uses to sign SSL certificates.
Armed with those credentials, an attacker who had seized control over a large network, for example, could intercept all requests for users trying to visit a specific e-commerce or banking Web site. The attacker could then redirect the user to a counterfeit version of the site designed to steal the user's credentials. All the while, the user may never know the difference, because the attacker would have presented the victim's Web browser with an SSL certificate, which was signed by an approved CA.
"Signing certs with MD5 in 2008 is negligent," said Jacob Appelbaum, one of the team members and a researcher with the Tor Project, a free online anonymity technology. "The problem is that we trust these CA companies, and maybe we shouldn't."
- > NEXT STORY: Rahul Sood Predicts End of the high-end gaming PC
- < PREVIOUS STORY: OCZ takes covers off Dominatrix Laser Gaming Mouse