January 4, 2009 Open Source 0

SSL broken! Hackers create rogue CA certificate using MD5 collisions | Zero Day | ZDNet.com.

The sky if falling!!!!! The sky if falling!!!!! There is a ton of heavy breathing going around about this issue and it’s not necessary at all.

This is a non-issue for the majority of folks and the “solution” is only a stopgap. SSL itself..WAS NOT CRACKED only the digital signature algorithm. The proposed solution is to move to SHA-1 which has been broken since 2005 is only a stopgap at best. This is a configuration issue. ALL browsers inherently trust groups of entities as trusted so their certificates are automatically trusted. If this is removed and folks are forced to inspect the certificates this would mitigate this attack..except most folks won’t check the certs..Most of the users are lazy and therefore this convenience is added. This convenience is the reason this attack can succeed. Moving to an already broken hashing method to fix another broken hashing method to fix what is inherently a configuration problem based on laziness isn’t the fix.

This is one thing that is probably going to make national news..panic a ton of folks..and the techie community is going to stampede to SHA-1 which has been broken since 2005. I personally do not know of another hashing algorithm that’s unbroken as of yet.  SHA-1 still takes quite a bit of computational power to use it’s attack vector but it’s well within modern COTS beowulf clusters now in operation.  Since the XBOX360 has 3 cores and the PS3 has effectively 8 the amount of hardware needed to compromised SHA-1 is much less than 2005 due to increased computational power.  It won’t be long before we hear of a similar type of attack on SHA-1 either.

What does this mean to the average person?  Not much.  How can this be mitigated?  Have the browser manufacturers remove their trusted CA pools and at least make the clients have to click thought the certs.  Inspecting them is not hard really..you just have to read.  If the user doesn’t take the time to read and inspect the cert then it’s nobody else’s fault if they get nailed.