digg

Facebook Connect Join Digg About
See the original image at crunchgear.com

MD5 collision creates rogue Certificate Authority

crunchgear.com (Translation: Bad news for the Internet). At the 25th Chaos Communication Congress (CCC) today, researchers will reveal how they utilized a collision attack against the MD5 algorithm to create a rogue certificate authority. This is pretty big news, so read on.

Who dugg this? Made popular Dec 31, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

103 Comments

show profanity settings
expand all
  • alsutton, on 12/31/2008, -7/+118Story stolen by a power-digger (http://digg.com/security/SSL_certificates_created_ ...

    Last time I bother submitting to digg.
  • inactive, on 12/30/2008, -1/+58Can't wait to see the new Norton Internet Security Ads.

    "Really, it's just way beyond you."
  • wumps, on 12/31/2008, -3/+47They should forget about SHA-3 and go straight to SHA-NA-NA
  • houndeyex, on 12/31/2008, -1/+38Well damn, it only takes 200 Playstation 3's. Looks like I'm cracking me some MD5's tonight.
  • zaferk, on 12/31/2008, -0/+32decoding md5? as if it were some plaintext cipher? only in my digg
  • inactive, on 02/25/2009, -0/+32you might be glad to know that one power user (or wanna-be even) added me to his gtalk list a few days ago and told me to send him a link to any submission i might like him to digg. i added him and said okay but i kinda stopped submitting anything two weeks after joining digg seeing the politics behind it.

    he was okay and was talking to me in a very friendly manner about off-topic stuff like "what do you do? do you blogg" etc etc, but few years ago he started what he does best: "hi, digg this link www.link.com"

    i instantly removed and ignored him, and secondly what i'm going to do now is delete each and every power user wannbe retard from my digg friend list (although I am glad i have some really cool friends who, much like me, don't bother submitting either and instead browses 'upcoming' section and digg whatever is diggworthy), set shouts to be sent to me only by friends (who is gonna shout if you have no friends?) and then remove my gtalk, yahoo and twitter ids from the bio. I know i'm just talking about myself like a tool, but let's just think of it as a new year resolution :P

    I'm totally sick of these power digging politics, and I'm feeling embarrassed to comment on and view the links that are getting submitted to front page now because what's happening is totally unfair.

    Submitter's IDs need to be totally anonymous and digg should reveal his/her ID/s once his link gets to frontpage and becomes popular. There should be no friend's list for any reason whatsoever, or else anonymous submitters would send their ***** pms and direct them to his anonymous link so that they can digg and popularize them.
  • FurryToaster, on 12/31/2008, -6/+38I heard you could do it with 43,000 atari 2600's
  • dwight, on 12/31/2008, -2/+29that is so incorrect, im not sure where to start
  • jetboyterp, on 12/31/2008, -6/+29How many Wii's would it take? (And would there have to be someone for every console to wave the controller around?)
  • stevehanler, on 12/31/2008, -0/+23Also,
    http://digg.com/security/MD5_considered_harmful_to ...
    http://digg.com/security/SSL_broken_Hackers_create ...
    http://digg.com/tech_news/MD5_considered_harmful_t ...
    http://digg.com/security/Researchers_Use_PlayStati ...
    http://digg.com/security/Group_attacks_flaw_in_bro ...
    http://digg.com/security/A_Serious_Threat_to_Onlin ...
    http://digg.com/security/A_Layman_s_Explanation_of ...

    All submitted about a day before this story.
  • MickJT, on 12/31/2008, -0/+17MD5 is perfectly fine for simple file verification to see if your ISO downloaded properly. Of course the .iso might have the same MD5 but it'd be complete jibberish.

    Certificates filled with random data is a different matter... why would anyone use MD5 these days for that?
  • inactive, on 12/31/2008, -2/+19I thought we've mostly moved from using MD5...

    I sure as hell hope this is a very big wakeup call to those responsible for starting the move who have not.
  • LordKorax, on 12/31/2008, -0/+15Love the relevant image.
  • dwight, on 12/31/2008, -1/+16a) right. no other humans exist with the technical ability of these guys, and none of them are capable of doing bad.

    b) yes, they only sell ps3s to good guys.

    c) dont need to hack dns servers. remember the dns cache poisoning a couple months ago? heard of dns spoofing? super easy to do on the same wifi network.

    d) what are "security dudes" going to do in response? take their computers away?

    e) they already list the CA that uses md5, and they only need to find one, just like the researchers did to get the rogue one

    so, they sky is not actually falling, but you're mostly wrong on every point...
  • StuartGibson, on 06/14/2009, -0/+15Basically it means that when you go to a "secure" site, it checks a Certificate Authority (CA) which is basically a trusted third party that verifies that the site is legitimately secured and can be trusted. By creating a rogue one, sites could be hijacked (for example your bank) yet it would still show as a secure, trusted connection.

    Basically, it means phishing sites could lull you into a false sense of security (no pun intended).
  • twoblink, on 12/31/2008, -0/+14http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo

    I'm predicting the 2 strongest will be Keccak and Skein.
    My initial nod goes to Keccak.

    For right now, you should all be using SHA2 variants..
  • ProfessorLX, on 12/31/2008, -0/+12MASTERPL i like your style, and im gunna have to believe PaulOwen as well, although, if dwight replied with another "nope, you're definitely wrong. way to double fail." i would have to go with dwight. lets see how this unfolds.
  • GreenNoise, on 12/31/2008, -1/+12You can't decode a 1-way hash. The only known attack against it is by brute force or dictionary attack.

    This article omitted a lot of details such as the number of bits of the key, and the amount of time it took them to crack it.
  • chr00t, on 12/31/2008, -0/+11Norton & mcafee both suck ass
  • inactive, on 12/31/2008, -2/+12I'm to lazy to check which one of you is right, so I'm giving it to PaulOwen. Hope you didn't just ***** me over.
  • latrosicarius, on 12/31/2008, -0/+10"so it might be better for the vulnerable CAs to jump right to SHA-2 or SHA-3."

    yeah, i was wondering if i missed the part where SHA-3 exists.
  • nerdzero, on 12/31/2008, -1/+11I wouldn't even bother reading an article called "Decrypt MD5 Hashes" since you don't decrypt a hash.
    And rainbow tables are pretty useless without the correct salt.
  • purfideas, on 12/31/2008, -1/+11Here are some fallacies I've observed, while following the story here and elsewhere:

    1. My server certificate is signed using SHA, so my site is not vulnerable. [wrong]
    2. My signing CA uses SHA, so my site is not vulnerable. [sorry]
    3. If I remove from my browser all root CA's that have md5 sigs, then my own SSL traffic is safe. [oh so sorry]
    4. If I remove from my browser all root CA's that sign with md5, then my own SSL traffic is safe. [getting closer]
    5. If I remove from my browser all root CA's that have ever been in a cert chain involving md5 signatures , then my own SSL traffic is protected from this attack. [ok technically true, but you effectively turned off the Internets]
    6. Now that RapidSSL discontinued signing with md5, the problem is gone. [wrong]
    7. If the six CA's listed by the researchers turn off md5 sigs, it's back to normal. [doubt it, the job of the researchers in finding a target, was much easier than identifying all points of vulnerability]
    8. If *all* md5 signing on the internet are turned off, we're safe. [maybe, but unfortunately there still could be another rogue CA out there].
    9. The firewall guys can prevent this [wishful thinking at best]
    10. Microsoft will release a patch and fix this. [only possible if one of 1-9 were a feasible solution]
  • RetepNamenots, on 12/31/2008, -0/+9"And us as well!"
  • StuartGibson, on 06/14/2009, -0/+8Wow, I say "basically" a lot :(
  • c0dy, on 12/31/2008, -1/+9So *that's* who's buying PS3s nowadays!
  • alsutton, on 12/31/2008, -1/+9My point is that it shows whats really wrong with digg at the moment, yes they're different sites and titles, but the story is essentially the same, yet my original post is currently running at 13 diggs.

    I've been getting the feeling that digg has become more like a mainstream news channel where there are a few that control what the masses see, and if you're not in the few it's very very very difficult to get to the front page, and this was a first hand demostration to me of what it can be like.

    At the moment it seems that with the personalised upcoming list the number of friends you have is more important to getting a story on the front page than the content of the story, and for me that isn't the basis for a good news selection.

    Still, I guess I can always go back to slashdot and see how the two compare for news stories I find interesting.
  • LoveWidescreen, on 12/31/2008, -0/+7Link fixed:

    http://digg.com/security/SSL_certificates_created_ ...

    And, yes, the link above was submitted about four hours before this one; however, they are of differing titles and are on different web sites. If you look at the text of each site, they're not the exact, same story. So, it's debatable whether or not the dupe catcher would have accurately caught this one.
  • PaulOwen, on 12/31/2008, -6/+12dwight you moron.

    Yes it was - check your facts - why *exactly* do you think rainbow tables can be used to detect collisions in MD5?

    Dork.

    I'm always amazed when I read "corrections" from people who are:

    a) wrong (and a quick google could confirm that)
    b) really confident that they are right

    I suppose you're the kind of person who will eventually be run over by a bus in a country where you swore that you read somewhere that they drive on the same side of the road as the US.

    That day will not come quickly enough.
  • rhowell, on 12/31/2008, -0/+6wow... an interesting tech article on the front page

    I'm shocked.
  • inactive, on 02/25/2009, -0/+6here's a link to pictures in that you would be able to see all the 200 ps3s in action and also that the hackers let some kids play them (out of kindness?) before getting to work :P

    http://www.win.tue.nl/~bdeweger/PS3Lab/
  • LoveWidescreen, on 12/31/2008, -0/+6You're showing your age there, wumps! ;) Of course, I recognized the joke so I guess I'm showing mine as well...
  • Macuyiko, on 12/31/2008, -0/+5f) Read this post: http://erratasec.blogspot.com/2008/12/not-all-md5- ... , basically, using a incrementing serial number (like RapidSSL) greatly improves your chances of hacking the system. When you use a random serial number in your certificate, finding a collision becomes much harder, even with 200 PS3's and MD5.
  • bieber, on 12/31/2008, -1/+6Clearly, you've never tried to code anything useful on the 2600 ;)
  • adkenc, on 12/31/2008, -1/+5Oops, what you're looking for isn't here!
  • ProfessorLX, on 12/31/2008, -0/+4Goblin & ThsGuyRightHere

    thanks for making that easy to understand! digg still has people that know what they're talking about and give a *****. you guys rock.
  • dwight, on 12/31/2008, -0/+4on medium detail, yes
  • FurryToaster, on 12/31/2008, -0/+4No I haven't, but I did stay in a Holiday Inn last night. (Those paddle controls suck anyway)
  • fwertz, on 12/31/2008, -0/+4"Tea?"
  • minorgods, on 12/31/2008, -0/+4The numbers are so unbelievably big all the computers in the world could not break them down. But maybe, just maybe... There's a shortcut.
  • Tiak, on 12/31/2008, -1/+5There exist sufficiently large tables of md5 hashes that most of the corresponding passwords people use are available. This says nothing about the security of the algorithm, only that it is popular.

    It has also been possible for quite a while to generate several outputs with the same MD5 checksum reasonably quickly on regular PCs, but I doubt this has anything to do with what you're talking about, and this isn't quite the same as generating a file with the same checksum as an already existing file.
  • aamer, on 12/31/2008, -0/+4Only 2 CAs left that haven't moved yet. I believe RapidSSL is the largest one that is still on MD5. I'm sure they'll move to SHA1 after this.
  • robdiggity, on 12/31/2008, -0/+4Dip dip dip dip dip dip dip dip boom boom boom boom boom get a job!
  • kaelyiesta, on 12/31/2008, -0/+4Me too...

    Ever since it was designed MD5 has been known for not being intended for a lot of the things it's used for. It's just a simple hash, that does a pretty good job verifying correctness of downloads and such. It's not even good for detecting false data. I read an article maybe 6 months back(that I can't find now) stating a proven method of being able to add some arbitrary nonsense to some data that could give that 'message' the same MD5 hash as some other bit of data. So, it shouldn't even be used for detecting impostor data anymore.
  • aamer, on 12/31/2008, -0/+3They're both right to some extent. MD5 vulnerabilities were found some years ago (don't think it was '95 though) and it is a "one pass" function which makes it especially vulnerable.

    However, part of the issue with hashing is that, even with no vulnerabilities, the increasing power of computers makes it easy to detect collisions (notice they had to use 200 playstations to create this crack).

    The real news here, though, is not in the MD5 vulnerability, but in it's successful application in using it to fake a certificate. You can find all the vulnerabilities in a hash, but it becomes a wakeup call when you use it for something as serious as this. The other reason this is news is because only two certificate authorities still use MD5 whereas most everyone else has switched to a different hashing function (usually SHA1). This should convince them to migrate too.


  • torressr3, on 12/31/2008, -0/+3It's from the movie sneakers(1992), the first picture anyway.

    And yes it is very relevant isn't it?
  • linagee, on 12/31/2008, -2/+5Too many secrets.
  • ThsGuyRightHere, on 12/31/2008, -0/+3Never underestimate the resourcefulness of a brilliant (albeit unethical) person trying to break the rules for financial gain.

    To address one requirement specifically, hacking DNS servers wouldn't be necessary. One could just tell all the computers in a botnet to add entries to their host files for particular sites pointing to rogue duplicate sites. I mentioned this in a previous comment, but the short version is imagine someone doing that on cyber monday next year.
  • ThsGuyRightHere, on 12/31/2008, -0/+3To add to Goblin's answer - It means someone with a relatively small amount of computing resources can make a site that looks like a trusted one (e.g. amazon, ebay, your banking site of choice) to and including accessing it via https and having your browser report that the site is valid. This technique could be used in conjunction with other malicious hacking approaches to mislead users into entering personal info, making what they think are legitimate credit card purchases, etc.

    Regarding the possible impact - imagine how much cash someone could rake in if they put up replicas of amazon, ebay, and buy.com and on cyber monday, they told all the computers that were infected with a botnet (typically hundreds of thousands, often in the millions) to send traffic for those sites to the rogue sites they put up.

    It would be difficult to pull off, but there are some amazing amounts of resourcefulness displayed by malware authors these days.
  • elhaf, on 12/31/2008, -0/+3It doesn't matter how long it took to crack if you end up with a rogue certificate authority. That's a big deal. you can spoof anybody with that, sign your own "trusted" certificates, etc.
  • Fetching more discussions...
    Show 51 - 100 of 110 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.