Rogue SSL certificate exploit puts VeriSign on the spot

Following the success of researchers last week in creating a false SSL certificate based on VeriSign's RapidSSL brand, the company is scrambling to explain how it happened, how it's preventing it from reoccurring, and whether its other SSL certificate-generation services are at risk.

SSL certificates are supposed to be unique identifiers for Web sites and other purposes, but on Dec. 30, an international team of researchers demonstrated at the Berlin Chaos Communication Congress event how they could exploit a weakness in the MD5 hash algorithm in VeriSign's automated RapidSSL certificate-issuance service to gain possession of what they call a "rogue Certificate Authority certificate."

"This certificate allows us to impersonate any Web site on the Internet, including banking and e-commerce sites secured using the HTTPS protocol," stated the researchers in their paper discussing the attack methodology. (Researchers who conducted this work include Alexander Sotirov, Marc Stevens, Jacob Applebaum, Arjen Lenstra, David Molnar, Dag Arne Osvik and Benne de Weger.)

A hash is a mathematical construct used in software to create a unique digital "fingerprint," but experts have speculated about potential weaknesses in the MD5 hash algorithm for more than four years. The international team at the Berlin event proved that with enough computing firepower they could create a certificate that could fool any Web browser into trusting what would be a rogue Web site, if the fake certificate were used.

"As a proof of concept, we executed a practical attack scenario and successfully created a rogue Certification Authority certificate trusted by all consumer Web browsers," the researchers state in their paper. The group emphasized: "Don't use the MD5 algorithm." They also pointed out that they see the potential for a mass denial-of-service attack on the Web based on the kind of exploit they demonstrated.

Four hours after the researchers' proof-of-concept demonstration, VeriSign switched out MD5 for SHA-1 for use in its RapidSSL certificate service, says Tim Callan, vice president of product marketing.

SHA-1 is another hash algorithm and a U.S. government standard, but it too is expected to be replaced with something stronger over the next five years under the hash competition process that the National Institute of Standards and Technology is overseeing.

Callan expressed some frustration that the researchers hadn't contacted VeriSign prior to their demonstration of RapidSSL's vulnerability.

"VeriSign feels this kind of 'white hat' research is important, but we encourage them to share their findings with us," he says. Despite some talk that VeriSign might consider taking legal action against such research, Callan emphasizes, "We wouldn't use legal response to prevent disclosure."

RapidSSL is one of several VeriSign certificate-generation services. "We're not revealing how many seats are out there, but RapidSSL, which we acquired from GeoTrust in 2006, has as its target customer the very small business."