A multinational team was able to mimic the Digital ID for RapidSSL. RapidSSL still used the MD5 method of encrypting its Digital Certificates. MD5 is an older encryption standard and has a more than a few known weaknesses. This enabled them to generate fake certificates signed with the false ID.
The exploit play off of a weakness in just about all internet browsers.
Every OS and Browser has a list of Trusted Certificate Authorities also called CAs. If anyone of these is compromised or can be successfully emulated your browser and OS will happily accept any certificate supplied by the fake Digital ID. You won't even know it is happening as the browser is set to trust these CAs automatically.
Read more at Washington Post.
The problem, the researchers realized, is that RapidSSL and a few other CAs still sign their digital certificates using a cryptographic method, called MD5, that suffers from known weaknesses. Combining recent and new research about ways to exploit those weaknesses with a homegrown, massive array of number-crunching machines (which included networking together about 200 PlayStation 3 gaming consoles), the team was able to reproduce a virtual clone of the digital signature RapidSSL uses to sign SSL certificates.
Armed with those credentials, an attacker who had seized control over a large network, for example, could intercept all requests for users trying to visit a specific e-commerce or banking Web site. The attacker could then redirect the user to a counterfeit version of the site designed to steal the user's credentials. All the while, the user may never know the difference, because the attacker would have presented the victim's Web browser with an SSL certificate, which was signed by an approved CA.
"Signing certs with MD5 in 2008 is negligent," said Jacob Appelbaum, one of the team members and a researcher with the Tor Project, a free online anonymity technology. "The problem is that we trust these CA companies, and maybe we shouldn't."
Apple's entry-level iPad could get a new, cheaper refresh in 2024
Apple's May 7 iPad event - here's what we expect to be announced
Global data generation: 660ZB by 2030, so SK hynix pre-announces insane 300TB future SSD for AI
X users will now get AI-generated news summaries
NVIDIA's next-gen GeForce RTX 5090 and RTX 5080 Laptop GPUs rumored to BOTH have 16GB VRAM
Fractal Design North XL Full-Tower Chassis Review
Western Digital WD Gold 24TB HDD Review - High-Capacity Masterpiece
AOC U27G3X 27-inch Gaming Monitor Review - 4K 160Hz for $500
MSI Vector GP68HX Gaming Laptop Review
Dell UltraSharp 40 5K Curved Thunderbolt Hub Monitor (U4025QW) Review
XPG Core Reactor II VE 850w 80 PLUS Gold ATX 3.0 PSU Review
SteelSeries Arctis Nova 4X Wireless Gaming Headset Review
ACEMAGIC AD08 "Core i9 11900H" Mini PC Review
Lenovo ThinkPad X1 Carbon Gen 12 Review
ASUS ROG Swift Pro PG248QP Gaming Monitor Review - Frames, frames, and more frames
Building the Ultimate Home Entertainment Server with an ASUSTOR NAS and Viper Gaming NVMe SSDs
Everything you need to know about the latest ASUS NUC Mini PCs - NUC 14 Pro and ROG NUC
How to Overclock Your GPU and Boost Your PC Gaming with ASUS GPU Tweak III
ASUS's AMD Radeon RX 7000 Series GPU lineup has something for every gamer
ASUS OLED Premium Care defends the ROG Swift OLED PG32UCDM gaming monitor from burn-in