A team of security researchers and academics has broken a core piece of Internet technology. They made their work public at the 25th Chaos Communication Congress in Berlin today. The team was able to create a rogue certificate authority and use it to issue valid SSL certificates for any site they want. The user would have no indication that their HTTPS connection was being monitored/modified.
http://hackaday.com/2008/12/30/25c3-hackers-completely-break-ssl-using-200-p... http://phreedom.org/research/rogue-ca/
That's a bit of a stretch. It doesn't seem that they've actually broken "a core piece of Internet technology." It's more like they've nibbled at a known potential problem enough to make it a real problem. According to the quoted article, "They collected 30K certs from Firefox trusted CAs. 9K of them were MD5 signed. 97% of those came from RapidSSL." I've seen other discussions of the topic that suggest that a variety of CA's (one such discussion talked about "VeriSign resellers", and I believe RapidSSL ~== VeriSign) are vulnerable. Anyways, I was under the impression that the whole purpose of the revocation capabilities of SSL was to deal with problems like this, and that a large part of the justification of the cost of an SSL certificate was the administrative burden associated with guaranteeing and maintaining the security of the chain. It seems like the major browser vendors and anyone else highly reliant on SSL should be putting VeriSign and any other affected CA's on notice that their continued existence as trusted CA's in software distributions is dependent on their rapidly forcing customers to update their certificates, an obligation that they should have expected to undertake every now and then, even though they'll obviously not *want* to have to do that. I'm aware that the VeriSign position is that their existing certificates are "not vulnerable" to "this attack," which I believe may be the case for some values of those terms. However, it is often the case that a limited- effectiveness example such as this is soon replaced by a more generally- effective exploit, and the second URL suggests to me that what VeriSign is saying may not be true anyways. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.