To pull off the attack, the team created a normal certificate and had it signed by a certificate authority that still uses MD5. However, the team engineered a collision to create a second certificate–an “evil twin”–that matched the signature of the first and also seemed to say that the original certificate authority had delegated its certificate-signing powers to the owner of the evil twin.
The evil-twin certificate could then be used to create certificates for any website on the Internet, allowing a malicious individual to impersonate trusted banking websites, padlock icon and all, without raising any of the alarms meant to protect users.
RapidSSL, a certificate authority owned by Verisign, issued the MD5 certificates that the team exploited. Independent security researcher Alexander Sotirov, who helped turn the theoretical work on MD5 into the real attack, says that the attack was possible not only because of MD5, but because of lax security in the way that RapidSSL issues certificates, which made it easy to produce a collision.
Just six hours after the researchers gave their presentation, Verisign announced that RapidSSL had moved to a more secure hash function. Tim Callan, vice president of product marketing for Verisign, explains that the company had been working on the move since it bought RapidSSL in 2006. However, he says, the company was proceeding cautiously because it didn’t want to disrupt the SSL services already offered to its partners. “If you are arbitrary or capricious with that, then what happens is that people will respond by using lower-security alternatives,” Callan says.
Sotirov credits Verisign for acting quickly in response to the attack, but says that the current infrastructure for certificates “is not working very well at all.” He adds, “It’s worrisome that so many certificate authorities are equally trusted,” particularly when different authorities use different standards to verify the identity of potential clients and to secure the certificates that they issue. He says that market forces, which reward certificate authorities for fast response times and low prices rather than for good security, are creating a “race to the bottom” that increases the chance of security issues in the future.
Sam Curry, vice president of product management for security company RSA, which abandoned MD5 in its certificate authorities about a decade ago, says that he thinks it’s important for companies to stay on top of theoretical attacks before they become real ones. “I’m thrilled, in a way, when people find these theoretical weaknesses because it means that we’re actually doing real testing and real, deep thinking about it,” Curry says. “I’m not thrilled when the practical ones roll out, because that’s when people get hurt.”
But Kocher says that it’s unlikely that average users will be affected. While certificate authorities should pay serious attention to the researchers’ attack, he says that, unfortunately, there are much easier ways to scam users online.