TECH.BLORGE.com
VISTA.BLORGE.com
MAC.BLORGE.com
GAMER.BLORGE.com

January 2, 2009 |

Verisign replaces discredited web security system

By John Lister





Verisign replaces discredited web security system It would take an average desktop computer 32 years to crack a recently proven flaw in one firm’s system for protecting ‘secure’ websites. But that firm, Verisign, is taking no chances and ditching the system immediately.

Security researchers recently found a way to fake a digital certificate used by Verisign to check that secure websites (those which start with https:// and bring up the padlock symbol in most browsers) really do belong to their claimed owners.

The big problem is that Verisign was among the certificate checking authorities which still relied on MD5, an encryption system which uses a string of 32 letters and numbers. When that system was developed in 1991, it seemed impossible that a computer could ever crack it. With today’s computer power, such a breach has proven possible, albeit only with a barrage of computers (in this case 200 Playstations).

While Verisign already had plans to drop MD5 in a month or so, the researchers’ discovery has prompted the firm to immediately drop the system. Instead it will offer its customers encryption using SHA-1, a more recent system which uses a string that is somewhere in the region of 18 million trillion digits.

Bearing in mind that each extra digit makes the system 36 times more complicated (assuming you only use letters and numbers), it seems safe enough to make the following prediction: if SHA-1 is cracked in our lifetimes, it won’t be through the brute force method used to get round MD5.

While the cracking of the Verisign certificate was an important demonstration of a principle (MD5 simply isn’t complex enough to avoid cracking), it shouldn’t be the sign for panic. Not only are the researchers keeping the full details of their technique confidential, but they used a level of computing power which would likely deter all but the most sophisticated of hackers.

And even if hackers do crack a security certificate system’s encryption, they’d also have to find a way to redirect traffic to their site without detection. That will be a lot harder since the discovery and patching of a bug in the system used to match website addresses to the servers where pages are physically stored.

Related:

  • Stealth Microsoft update breaks "repaired" XP
  • Security flaw in Vista? show me the money
  • Canonical founder will wait for profits
  • Website security in question now VeriSign’s SSL hacked
  • Web site owners may find it harder to hide




    • Sign up for the BLORGE daily email newsletter

    Entry was posted on Friday, January 2nd, 2009 at 3:06 pm under Internet, Security.

    Read more entries by John Lister.
    StumbleUpon Toolbar Stumble It!

    One Response to “Verisign replaces discredited web security system”

    1. DavidB:
      January 2nd, 2009

      The weakness in MD5 having been known for a couple years now its amazing Verisign didn’t take this seriously when first conceptualized and move to a better hash algorithm like practically everyone else did.

    Leave a Reply:

    Copyright © 2008 Engaging and compelling blogs that entertain and inform