December 31st, 2008

MD5/rogue CA attack: The sky is not falling

Posted by Ryan Naraine @ 7:25 am

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Complex Attacks, Exploit code, Firefox, Malware, Microsoft, Mozilla, Phishing, Punditocracy, Responsible disclosure, Spam and Phishing, Vulnerability research

Tags: Certification, Certification Authority, Computer Associates International Inc., Attack, MD5, Ryan Naraine

Guest post by John Viega

Today there’s been a lot of buzz about the clever new attack on public key infrastructure from Alex Sotirov and a team of researchers.   In the attack, the bad guy ends up with his own Certification Authority (CA) that is fully trusted according to every major browser. People are declaring the entire Internet is broken, and that it will be hard to fix.  This is simply not true.

The major misconception I’m seeing over and over is that the problem allows the bad guy to steal the signature off any valid MD5 signature from any certificate on the Internet.

[ SEE: SSL broken! Hackers create rogue CA certificate ]

Actually, the attack works by a bad guy generating two certificates, one that is just a regular web site certificate, and the other that is a CA certificate.  Then, to get the CA certificate trusted, the bad guy submits the web site cert.  If he can predict the internal values the CA will use when he starts generating the certificate (a process that takes a few days right now), then he will get back a signature that can be pasted onto the CA cert.   That allows the CA to generate new certs to impersonate anybody on the Internet (e.g., Citibank.com).

This means that existing certificates aren’t currently an attack vector, unless they were actually used in an attack.

As a result, this hole is easier to close than people think.  The few CAs signing certs with MD5 need to switch to SHA1 (or something stronger).  That immediately gets rid of the problem for new certs.

[ Chris Eng: An easy fix ignored ]

For old certs, the risks are also pretty low.   Just because of the up-front costs of research and development that would have been necessary, there’s a very good chance that bad guys have focused on low-hanging fruit like social engineering, instead of investing the research dollars.

Once the researchers publish technical details on the tricks they used to make the attack cost effective, then probably some bad guys will try, as long as there are still vulnerable CAs.  My guess is that there won’t be.

Even if some bad guys have done all the work, it’s unlikely to have been used more than a handful of times.  Either the bad guys will use their fake CA credentials selectively as to not get caught, or they will get caught quickly, and the certs will be blacklisted.  Either way, the long term risks are negligible, as long as all CAs migrate from MD5 immediately, or take other precautionary measures, such as using a random certificate ID instead of a sequential one.

And for those CAs that don’t take mitigating steps immediately, the operating systems and browsers of the world should move to blacklist them ASAP.

Right now, the only CA that seems to consistently sign using only MD5  (signing with both also thwarts this attack) is RapidSSL/FreeSSL (FreeSSL is owned by RapidSSL, and is used for trial certs).  Who knows why these guys have not migrated away from MD5.  But assuming they do it soon, there is little to worry about.

* John Viega is CEO of Stonewall Software and author of several security books including the classic Building Secure Software (Addison Wesley, 2001), and the forthcoming Myths of Security (O’Reilly, 2009). Follow him on Twitter.