Blown To Bits

Broken padlocks in Web security

Thursday, January 1st, 2009 by Hal Abelson

When you browse to a Web page, there’s sometimes a little padlock in the corner of the window.¬† The padlock is supposed to indicate security: that the Web connection is encrypted and the server at the other end of the connection is authentic, not an impostor.¬† That’s why you’re supposed to feel secure in sending your credit card number or your bank account information across the Web.¬† On December 30, we learned¬† that this padlock isn’t so trustworthy after all, when a group of cryptography researchers announced that they have been able to create a forged digital certificate.

Digital certificates, as we explained in Blown to Bits, are the basic mechanism that browsers use to validate the integrity of Web connections.  A message is authenticated by means of a mark called a digital signature (see B2B chapter 5) operating on a compressed version of the message called the message digest. The signature itself is signed in turn by an organization certification authority; a signed signature is called a certificate.. When you browse to the web site for Bank of America, for example, the BofA site presents its certificate, your browser checks the signature, if the signature checks out, then your browser turns on the padlock to let you know that the remote Web site really is the one for BofA and you can proceed in safety — supposedly. The researchers were able to constructed the bogus certificate so that it to appeared to have been signed by one of the certification authorities whose certificates are automatically trusted by almost all browsers.

A single forged certificate on the Web might not seem like such a big deal, but that certificate could be used to sign other certificates, which would also be trusted, and those certificates used to create new bogus trusted certificated, and so on, potentially flooding the Web with bogus certificates. Until now, if evil Eve creates a Web site that masquerades as Bank of America and tricks people into visiting it (that’s a fraud called phishing), careful users would know to check that the connection is secure and the padlock is showing before entering sensitive information. But, now, if Eve gets hold of one of the forgeries, she can create a message claiming whatever she likes, sign this using the forgery, and have her fake site present the result as the “Bank of America” certificate. When browsers connect to the fake site, the certificate is checked, the padlock appears, and even careful users will be fooled into thinking they are talking to the authentic bank site.

The reality isn’t actually that bad.¬† The researchers who made the announcement are top cryptographers, and although they’ve published a great explanation here), of how they accomplished the forgery, they don’t give all the details. Also, to forestall damage if their certificate falls into wrong hands, they constructed it so that appears to have already expired.

The forgery was accomplished by exploiting a weakness in the method of producing message digests, which uses an algorithm called MD5.¬† Tuesday’s announcement wasn’t a big surprise to anyone in the cryptographic community, because the theoretical basis for the exploit was described at a cryptography conference in 2004.¬† We mention this in chapter 5, along with 2004 recommendation that Web product vendors stop using MD5 and switch to a stronger method called SHA.

And yet, as B2B describes has been so common throughout the history of cryptography, the vendors didn’t stop, at least not right away.¬†¬† And so Tuesday”s announcement was followed yesterday by a predictable “it’s not our fault” scramble.

Microsoft released a security advisory pointing out that “this is not a vulnerability in a Microsoft product”.¬† Ahem … it’s just a vulnerability in a related product that Microsoft relies on in order to function.¬† It’s like when the construction company involved in the Boston Big Dig tunnel ceiling panel collapse protested they didn’t make the glue, they only glued in the panels.¬† Microsoft did point out, however, that it had stopped using MD5 in its own products.

Microsoft’s advisory also pointed out that “the techniques to perform these attacks and the underlying cryptography that facilitate them were not released by the researchers. Attacks would be very unlikely to be implemented at this point in time.”¬†¬† The technical term for that approach is: denial.

As for what Windows users should do, Microsoft’s answer is that there’s pretty much nothing to do, except to install the latest Windows updates, which are unrelated to this issue.

Mozilla’s response was even more lame, pointing out that “this is not an attack on a Mozilla product” and advising users to “exercise caution when interacting with sites that require sensitive information.”

Neither Microsoft nor Mozilla said they would provide some actual protection, for example — as recommended by the researchers — patching their browsers to signal a warning when a certificate uses MD5, or even to reject such certificates outright, thereby forcing the certification authorities to immediately produce alternatives to MD5 signatures.

As for those certification authorities, the only one I noticed a response from was Verisign, whose RapidSSL brand of certificate was the one forged, and which is apparently the largest supplier of MD5 certificates.  Verisign issued a quick response saying that they had been planning to eliminate MD5 certificates by the end of January anyway, and they were on track to do this.  (Where were they in 2004?) They also offered to replace any MD5 certificates free of charge.  (But notice that it is the user who relies on the certificate, not the firm presenting the certificate, who is at risk here.) As the researchers write in their report:

And what none of the responses consider is that if these four researchers were able to pull of this exploit, then someone else, less benign and better funded, may have already done it.  A suspicious person might wonder whether the Internet is already polluted with bogus certificates.

Overall, this was a tour de force of cryptographic skill, but it was not a proud moment for an industry supplying an infrastructure that’s becoming increasingly critical to the entire world and that has been telling us for years how importantly it takes security.¬†¬† As the researchers write,

It was quite surprising that so many so many CAs are still using MD5, considering that MD5 has been known to be insecure since … 2004. Since these CAs had ignored all previous warnings by the cryptographic community, we felt that it would be appropriate to attempt a practical attack to demonstrate the risk they present to everybody using a web browser that includes their root CA certificates.

The eighteenth century-diplomatic officers, who kept on using substitution ciphers 800 years after that method had been broken (see B2B), would have felt right at home here.

Then again, if these past months have taught us anything, it’s that you don’t need Web spoofing to commit financial fraud on a massive scale.¬† Merely subverting Internet security seems downright petty-anty in comparison.

One Response to “Broken padlocks in Web security”

  1. How to Get Six Pack Fast Says:

    After reading through this article, I just feel that I need more information on the topic. Could you share some resources ?