A presentation at 25C3 today detailed how researchers were able to create their own Certificate Authority that is recognized by all current webbrowsers, allowing them to create valid certificates for any website they like. While it’s presented as an example of why using MD5 hashes is considered harmful, it also serves as a perfect example of why trusting an SSL certificate in general is a bad idea.
If you want to read all the details of this “hack”, you can find them here. The full article is pretty easy to understand, even if you are not a PKI expert. If you prefer the short version, here it is:
While using MD5 to sign digital certificates has now been shown to be dangerous, the researchers also highlight several other factors that made this attack possible:
- For this specific attack to work, they needed to predict the serial number of certificates issued at a specific time. This turned out to be remarkably easy: RapidSSL uses a simple incrementing counter, instead of generating random serial numbers.
- It’s also necessary to know the validity date of a generated certificate beforehand; this was also way too easy, since RapidSSL generates a certificate exactly six seconds after confirming the order.
- And, last but not least, RapidSSL’s root certificate that is included in web browsers doesn’t include a “path length” attribute. If this had been set to 0, it would only be valid for creating certificates, and not for creating intermediate certificate authorities.
And RapidSSL is not the only party that issues certificates way too easily. You don’t need to create your own fake certificate authority; Comodo allowed anyone to order certificates for domains not under their control.
So as you can see, there are multiple ways to get a real, “trusted” certificate for a domain that is not yours, thus making man-in-the-middle attacks a lot easier. My Firefox came with tens of certificate authorities pre-installed, and there is no easy way for me to check how secure their procedures for issuing certificates are. So just relying on a pre-determined list of “trusted” sources is an accident waiting to happen; it’s just a matter of time until the private key of one of these trusted sources is stolen or one of these also starts issuing certificates without performing proper checks.
Fortunately, alternatives for this system are being developed. One of these are the new Extended Validation certificates, which promise better validation of the party that requested the certificate. But a more important initiative is the Perspectives system: this allows you to detect man-in-the-middle attacks by verifying that you are presented with the same certificate as other users. Most of the time, you don’t really need to know exactly who a certificate belongs to, but you do want to be sure nobody is eavesdropping on your communications. If that is what you need, install the Perspectives plugin for Firefox now.