Browser Security Fail, MD5 broken, CA gone rogue


A group of security researchers (Alex Sotriov, Jacob Appelbaum, Mark Stevens, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne De Weger) have identified a vulnerability in the public key infrastructure used to issue digital certificates for secure websites. As a proof of concept they have shown they can perform an attack scenario that creates a rogue Certificate Authority (CA) that is trusted by all common browsers. This allows one to impersonate any website on the Internet, including banking and other transaction based sites secured with HTTPS protocol (SSL) (here) with details (here)

A short summary of our result is that we have come in possession of a “rogue” Certification Authority whose certificate will be accepted by default by most browsers. Thus we are able to issue SSL certificates to any website we like, including rogue websites claiming to be legitimate ones.

This has been possible by exploiting the following weaknesses:

  • an efficient method to construct “chosen-prefix collisions” for the MD5 hash function,
  • there is at least one commercial Certification Authority that:
  • issues certificates with a signature created using the MD5 hash function,
  • processes online requests for certificates in an automated way,
  • does not check for anomalous requests,
  • allows predicting with reasonable probability of success a valid combination of serial number and validity period,
  • has no technically enforced limit on the length of a chain of certificates.

Any website, whether it is secure (i.e. uses SSL) or not, whether it has an MD5-based, SHA-1-based, SHA-256-based, or any other type of certificate, irrespective of which Certification Authority issued the certificate, can be impersonated, in particular not only genuine websites that have an MD5-based certificate are vulnerable.


the computations needed for our work were done on a cluster of about 200 PlayStation 3 game consoles in the cryptanalytic lab at EPFL.

That is cool!

This was a fairly sophisticated attack scenario and requires a level of dedication by the attacker that will probably result in limited exploit, unfortunately there is little the average user can do to prevent exploitation except to remain diligent and assume that all your personal and confidential information is known by everybody and act accordingly to monitor sensitive accounts and information for misuse.

There is however a list of suggestions (here) for the Certificate Authorities – stop using MD5 altogether, browser and OS vendors – provide warnings when encountering M5 hashes and pressure CA’s to stop using them, and website owners – pressure CA’s to stop using MD5

Bottom Line: Just like with Kaminskygate the Internet is still here in all its glory and fail. This does however highlight the importance of independent security research and its effectiveness in providing information on how to better implement security controls that affect most, if not all, of us. Thierry Zoeller said it best “Academic research + hacker ingenuity at it’s finest. We need more of it. Awesome.”

Additional analysis (here), (here), (here), (here), (here), (here), (here), (here) and (here)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s