A team of researchers hacked VeriSign’s RapidSSL.com certificate, demonstrating what they say is a means of launching nearly undetectable phishing attacks. The team achieved it with the help of 200 Sony Playstations.
According to IDG, the researchers exploited a specific bug in the MD5 hashing algorithm used to create some digital certificates that prove a Web site’s authenticity. The flaws were supposedly known, and via those flaws VeriSign Inc’s RapidSSL.com site was hacked to create fake digital certificates for any site on the Internet.
Should the exploit become widespread, all the controls placed in modern browsers or current security software to detect phishing software would all be for naught. The flaw in the MD5 algorithm makes it possible to have two different documents with identical hash values. That would be like having two different people with similar fingerprints, both able to access the same biometric resources. The researchers said that it wasn’t likely any actual attacks would occur from using the flaw, something Microsoft also said in a security advisory.
How exactly did Playstation 3 machines figure into all this? Supposedly code breakers like the Playstation’s Cell processor for its capabilities at performing cryptographic functions. Possibly more information about the experiment will be revealed as the researchers present their findings at the Chaos Communication Congress in Berlin.
“It’s a wake-up call for anyone still using MD5,” said David Molnar, a Berkeley graduate student who was part of the project. Combined with the flaw in the Internet’s Domain Name System (DNS), undetectable phishing could be done.
Cryptographers have long pointed out the weaknesses of MD5, with Bruce Schneier, noted cryptography expert saying that certificate authorities should have upgraded to more secure algorithms such as SHA-1 “years ago.” Schneier did note that there were far more pressing Internet problems, such as weaknesses that expose large databases of sensitive information to attackers.
“It doesn’t matter if you get a fake MD5 certificate, because you never check your certs anyway,” he said.