Website security in question now VeriSign’s SSL hacked

December 31, 2008

Website security in question now VeriSign's SSL hacked  A team of researchers hacked VeriSign’s certificate, demonstrating what they say is a means of launching nearly undetectable phishing attacks. The team achieved it with the help of 200 Sony Playstations.

According to IDG, the researchers exploited a specific bug in the MD5 hashing algorithm used to create some digital certificates that prove a Web site’s authenticity. The flaws were supposedly known, and via those flaws VeriSign Inc’s site was hacked to create fake digital certificates for any site on the Internet.

Should the exploit become widespread, all the controls placed in modern browsers or current security software to detect phishing software would all be for naught. The flaw in the MD5 algorithm makes it possible to have two different documents with identical hash values. That would be like having two different people with similar fingerprints, both able to access the same biometric resources. The researchers said that it wasn’t likely any actual attacks would occur from using the flaw, something Microsoft also said in a security advisory.

How exactly did Playstation 3 machines figure into all this? Supposedly code breakers like the Playstation’s Cell processor for its capabilities at performing cryptographic functions. Possibly more information about the experiment will be revealed as the researchers present their findings at the Chaos Communication Congress in Berlin.

“It’s a wake-up call for anyone still using MD5,” said David Molnar, a Berkeley graduate student who was part of the project. Combined with the flaw in the Internet’s Domain Name System (DNS), undetectable phishing could be done.

Cryptographers have long pointed out the weaknesses of MD5, with Bruce Schneier, noted cryptography expert saying that certificate authorities should have upgraded to more secure algorithms such as SHA-1 “years ago.” Schneier did note that there were far more pressing Internet problems, such as weaknesses that expose large databases of sensitive information to attackers.

“It doesn’t matter if you get a fake MD5 certificate, because you never check your certs anyway,” he said.

Be Sociable, Share!

One Response to “Website security in question now VeriSign’s SSL hacked”

  1. Felicidad Stelter:

    Wikipedia has a decent comparison of ssl certificate providers. Hands down I’d recommend choosing a cheap ssl certificate. From what I’ve seen, they all function the same, and installation methods are reasonably similar, but the price varies dramatically.

Leave a Reply:

Recent stories

Featured stories

RSS Windows news

RSS Mac news

RSS iPad news

RSS iPhone & Touch

RSS Mobile technology news

RSS Tablet computer news

RSS Buying guides

RSS PS3/Wii/Xbox 360

RSS Green technology

RSS Photography

Featured Content


Copyright © 2014 NS