Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

To pull off the attack, the team created a normal certificate and had it signed by a certificate authority that still uses MD5. However, the team engineered a collision to create a second certificate–an “evil twin”–that matched the signature of the first and also seemed to say that the original certificate authority had delegated its certificate-signing powers to the owner of the evil twin.

The evil-twin certificate could then be used to create certificates for any website on the Internet, allowing a malicious individual to impersonate trusted banking websites, padlock icon and all, without raising any of the alarms meant to protect users.

RapidSSL, a certificate authority owned by Verisign, issued the MD5 certificates that the team exploited. Independent security researcher Alexander Sotirov, who helped turn the theoretical work on MD5 into the real attack, says that the attack was possible not only because of MD5, but because of lax security in the way that RapidSSL issues certificates, which made it easy to produce a collision.

Just six hours after the researchers gave their presentation, Verisign announced that RapidSSL had moved to a more secure hash function. Tim Callan, vice president of product marketing for Verisign, explains that the company had been working on the move since it bought RapidSSL in 2006. However, he says, the company was proceeding cautiously because it didn’t want to disrupt the SSL services already offered to its partners. “If you are arbitrary or capricious with that, then what happens is that people will respond by using lower-security alternatives,” Callan says.

Sotirov credits Verisign for acting quickly in response to the attack, but says that the current infrastructure for certificates “is not working very well at all.” He adds, “It’s worrisome that so many certificate authorities are equally trusted,” particularly when different authorities use different standards to verify the identity of potential clients and to secure the certificates that they issue. He says that market forces, which reward certificate authorities for fast response times and low prices rather than for good security, are creating a “race to the bottom” that increases the chance of security issues in the future.

Sam Curry, vice president of product management for security company RSA, which abandoned MD5 in its certificate authorities about a decade ago, says that he thinks it’s important for companies to stay on top of theoretical attacks before they become real ones. “I’m thrilled, in a way, when people find these theoretical weaknesses because it means that we’re actually doing real testing and real, deep thinking about it,” Curry says. “I’m not thrilled when the practical ones roll out, because that’s when people get hurt.”

But Kocher says that it’s unlikely that average users will be affected. While certificate authorities should pay serious attention to the researchers’ attack, he says that, unfortunately, there are much easier ways to scam users online.

2 comments. Share your thoughts »

Credit: Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger. The cluster was sponsored by EPFL DIT and by a matching equipment grant from the Swiss National Science Foundation.

Tagged: Computing, Web, security, cryptography, hacker, hacks, SSL, chaos communications congress

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me