Join 3,564 readers in helping fund MetaFilter (Hide)


Stir in poisoned DNS and add a dash of transparent proxying...
December 30, 2008 8:44 AM   Subscribe

The embargo has been lifted on the newest research on growing internet infrastructure insecurity. Using an army of Playstations, researchers have managed to forge a RapidSSL (owned by Verisign) CA certificate in a couple hours due to known flaws in MD5.
posted by These Premises Are Alarmed (33 comments total) 8 users marked this as a favorite

 
That's mefi's own ioerror, & a previous project.
posted by Pronoiac at 9:00 AM on December 30, 2008


Could a moderator fix the "army of Playstations" link? Thx.
posted by DU at 9:07 AM on December 30, 2008 [1 favorite]


"We don't believe anybody will reproduce our attack before the certificate authority has fixed it," says Mulnar. [Quote from Wired link.]

Here's hoping.
posted by Lesser Shrew at 9:11 AM on December 30, 2008


It sounds like the point of it is to light a fire under Verisign to get them to phase out MD5. I hope it works.
posted by Chocolate Pickle at 9:12 AM on December 30, 2008


I was going to post this but I didn't have time to scare up more than the zero day article.

The next C3 is definitely on my scare-up-money-to-go list.
posted by Skorgu at 9:29 AM on December 30, 2008


It's the standard security problem. Someone comes up with theoretical weakness (in this case, in the MD5 hash function.) The maintainers of the code affected look at chance of exploit, cost of conversion, and decide that it's economically dumb for them to make the change if it'll cost you any money, and besides, if they deny the weakness, it won't cost them any customers.

Someone takes theoretical attack and makes it real. Now, companies have to rush to plug the hole, meanwhile, a large group of people have been vulnerable to this for FOO units of time. BTW, it's happened more than once that a rush to plug a hole has opened up another one.

This is why I'm for open publishing of exploits, because it's the only way to get them plugged, but I wish *customers* would punish those who don't fix stuff as well. Your given CA may not care about a weakness until the exploit hits the wire, but if suddenly 35% of their customer base walked, there would be an incentive to plug the holes sooner -- or at least try to write this stuff securily in the first place.

This MD5 weakness isn't new. The first weakness was found in 1996, a much large weakness was found in 2004, the first demonstrated certificate collision -- with a pair of X.509 certs -- was in 2005.

Still using it for certs is basically unforgivable, from a security standpoint. The fact that RapidSSL had another weakness that made other elements easy to predict, thus allowing the generation of ad-hoc certificates (and CA certs!) is a doubly whammy.
posted by eriko at 9:30 AM on December 30, 2008 [2 favorites]


So uh, which of these links actually goes to the article about the actual cracking? I've already tried three and got somebody's blog, a description of RapidSSL and a howto on making self-signed SSL certs (huh?).
posted by DecemberBoy at 9:37 AM on December 30, 2008


OK, never mind. It's "newest".
posted by DecemberBoy at 9:42 AM on December 30, 2008


Image of Playstation array
posted by DU at 9:56 AM on December 30, 2008


...OK, I read the articles, and still have to ask...why Playstations?
posted by Bokononist at 10:50 AM on December 30, 2008


They are pretty powerful machines, especially for the price.
posted by chunking express at 11:05 AM on December 30, 2008


(And they are Playstation 3s, not the original Playstation.)
posted by chunking express at 11:06 AM on December 30, 2008 [1 favorite]


Ps3s use a pretty advanced "cell" processor so I guess it would be a cheap way to do a bunch of integer ops.
posted by delmoi at 11:11 AM on December 30, 2008


The PS3 uses the Cell microprocessor, which is optimized for parallel processing. In the PS3 that parallelism is used to do graphics calculations, but it's also very useful for this kind of brute-force attack.

The PS3 is the cheapest commercial platform which uses the Cell. An array of PS3's like the one they built is something of a super-computer, without costing what most real super-computers cost.
posted by Chocolate Pickle at 11:13 AM on December 30, 2008 [1 favorite]


The Playstation 3 (& many consumer video cards, for that matter) have powerful graphic processor units, which are well-suited to do work that parallelizes well. Here's a video demonstration regarding parallelization, & a site dedicated to the concept.

On preview: Okay, maybe it's the CPU, or Cells are both the CPU & GPU. *shrug*
posted by Pronoiac at 11:18 AM on December 30, 2008


Bokononist: It's because the PS3 is an amazingly fast computer for such a cheap price. Each one has six usable CPU cores, and the Graphics Processing Unit can be used for doing really fast vector math operations.

..And they're cheap!
posted by Laen at 11:19 AM on December 30, 2008


(Dang, preview!)
posted by Laen at 11:19 AM on December 30, 2008


why Playstations?

Something to do while waiting for them to have some games released?
posted by srboisvert at 11:23 AM on December 30, 2008 [2 favorites]


The Playstation 3 (& many consumer video cards, for that matter) have powerful graphic processor units, which are well-suited to do work that parallelizes well. Here's a video demonstration regarding parallelization, & a site dedicated to the concept.

The problem with using graphics processors is that they do floating point math, specifically 32 bit floating point math. I'm not sure how well those vector units would work for doing the kind of integer math that these MD5 attacks would take.

If you just wanted pure floating point, vector math, for the price you would probably go with something like this, a box with 4 top of the line Nvidia GPUs, giving you up to 4 teraflops. Also available as a desktop (an ordinary PC with a bunch of these cards).

Maybe someone more knowledgeable can fill us in, but I'm assuming that they went with PlayStations for the integer operations, and that using floating point units wouldn't work very well for this kind of thing.
posted by delmoi at 11:48 AM on December 30, 2008


I thought I'd try and simplify this for those for whom 'digital certificate' and 'MD5 hash' is gobbledygook.

I, as a website provider such as an online banking site mybank.com and want to make the site secure from interception and eavesdropping. I go to a trusted certificate authority, give them my digital certificate (a file, basically) and some money, they verify I actually own the domain mybank.com, and then they digitally sign that certificate. I then put that signed certificate on my website.

You, as my customer, visit mybank.com. Built in to your browser is a list of trusted certificate signers, so you can compare my digital certificate, and its signature, against that known list. If it matches, then you know my website is legitimate, and we set up a secure encrypted connection that can't be intercepted.

Now, if the certificate isn't signed by one of these trusted certificate authorities, or the signature is fake, your browser will kick up a warning; you've probably encounted one of those warnings at some point. If you get such a warning when visiting a site that should have a proper signed certificate, i.e. your bank rather than some small mailing list, you are alerted that your connection might be being hacked, and someone might be trying to intercept your details. Not all certificates are signed, because it costs money to do so; many personal small sites don't bother, but anything involve a digital checkout, bank, or other site with personal and/or sensitive information should have one.

What has happened now is someone has managed to fake the signature of a real authority, and have it apply to their own fake intermediate certificate authority. This means they can issue their own digitally signed certificate for any site they choose, such as say, mybank.com, and as far as your browser is concerned, it's a real signed certificate via a trusted authority and it won't kick up any warning.

This means that if someone manages to intercept and proxy your connection by other means, and set up a fake website and a fake certificate, you won't know the difference. It'll look like the real site, it'll have a valid certificate like the real site, and your browser won't complain. You sign in, and now the crackers have your legitimate bank details. Or if they do it to a popular online retailer, suddenly you've just handed over your credit card details to the cracker.

There was a big worry a few months ago, the kaminsky DNS flaw, that made it much easier to potentially intercept your connection to legitimate sites, and silently send it to a fake one controlled by the crackers. One of the defences was that you could trust the certificate system, and if you got redirected to a fake secure site, your browser would kick up a warning. If they were taking advantage of this new weakness, that wouldn't happen. The kaminsky flaw is largely patched by ISPs by now, but not all.

So what's the upshot? Well, those certificate authorities that are issuing MD5 certificates should stop right away, as that should prevent any new fake certificate authorities being created. Of course, it's possible that bad people already knew about this flaw, and have exploited it already to get their own fake certificate authorities setup already.

So what can you do to protect yourself? You could remove the affected certificate authorities from your browser store of trusted certificate signers, but that would cause all sorts of other problems.

The best thing really is to protect your connection from being intercepted in the first place. First, make sure your home wireless network is properly secured with a strong password and WPA or better, WPA2 security. If you do use a webcafe, or other public access point, be very very wary of visiting websites where you have potentially important information, such as your bank, or online shopping, as they could be intercepted; and with this new flaw, that interception could be entirely transparent. Also, think about your email there - if someone got your password for that, could they then use it to reset your passwords for sites that do have important information? Run decent antivirus and anti-spyware software (or use linux or OSX for sensitive websites) so that they can't hack your machine directly. As always, make sure legitimate sites that should have a certificate, do have the https:// and the padlock.

Finally, I believe Extended Validation Certificates, i.e. sites that go green in the address bar are not vulnerable, so sites such as paypal.com should still be safe from being faked by this method.
posted by ArkhanJG at 12:04 PM on December 30, 2008 [1 favorite]


I should also say, that though it's *possible* someone evil has already found this flaw and exploited it, it's not hugely likely, according to the researchers that found it, and hopefully the certificate authorities will get this fixed before someone bad DOES figure it out, so it's not the end of the secure internet just yet. Still, it's a bit of a brown-trouser day for sysadmins and security people.
posted by ArkhanJG at 12:15 PM on December 30, 2008


The best thing really is to protect your connection from being intercepted in the first place. First, make sure your home wireless network is properly secured with a strong password and WPA or better, WPA2 security.

With traceroute, I get 20+ hops to my bank; if I can't count on the certificate system to be secure, then making sure that WPA2 is set up is like locking the attic fire escape while leaving all the windows and doors wide open.
posted by Pyry at 12:44 PM on December 30, 2008 [2 favorites]


Anyone know some good tools for managing browser root certificates across multiple browsers on multiple Windows machines?
posted by BrotherCaine at 1:50 PM on December 30, 2008


To fix this vulnerability, all CAs are now using SHA-1 for signing and Microsoft and Firefox will be blacklisting the team’s rogue CA in their browser products.

This seems meaningless. What needs to occur is for ALL MD5-signed certificates to be blacklisted, thereby forcing all sites currently using them to have new SHA-1 certs generated. As long as any MD5 certificates are accepted as valid, you have a hole. The chances of finding a collision with an existing certificate might be low, but it's certainly not zero, and future research might produce better ways of calculating collisions for given values.

The only good thing is that at least most certificates have a fixed lifespan (typically six months, one, or two years), so eventually all the old ones will expire and need to be regenerated anyway.
posted by Kadin2048 at 2:44 PM on December 30, 2008 [3 favorites]


With traceroute, I get 20+ hops to my bank; if I can't count on the certificate system to be secure, then making sure that WPA2 is set up is like locking the attic fire escape while leaving all the windows and doors wide open.

Well, WPA prevents a hole at that point in the connection. It's very common for open wireless networks to have leechers if anyone's in the area, usually not malicious people, but it's a real easy way to get on the network if it's not secure. Of course, you need physical proximity, but in the city that's not hard to achieve. If a session is encrypted from start to finish, it may still be very difficult to intercept and decrypt the data, but it gives a potential attacker a little bit easier method to get to you. And a lot of sites still don't use secure login pages, so the user/pass is sent completely in the clear before the session starts. It's not hard to get a lot of personal information if you have access to someone's email account. That's just off the top of my head. So, yeah, WPA is a good idea. I wish WPA2 worked more consistently, but it's the best option when you don't have any changes to the computers on the network and don't have to connect your Aunt Betty with her 5 year old Dell laptop which can't interpret WPA2. Just as an example ....
posted by krinklyfig at 6:52 PM on December 30, 2008


BTW, the point is that sessions with your bank website will be encrypted anyway, so the hops it takes to get from one point to anther will only see encrypted data, not your account number or somesuch. However, as I mentioned previously, a lot of websites still have non-secure login pages (pages which start with https and show a lock in Firefox are secured), and the login information is sent in the clear, even some bank sites. There are a lot less of them now that a news story came out a couple months ago about this issue, but even a compromised Yahoo! email account can allow someone access to more than you think.
posted by krinklyfig at 6:58 PM on December 30, 2008


BTW, the point is that sessions with your bank website will be encrypted anyway, so the hops it takes to get from one point to anther will only see encrypted data, not your account number or somesuch

Right; my point is that if you can't count on that encryption (which is what this exploit brings into question by potentially allowing man in the middle attacks), then all hackers need to do is compromise any of those hops, and your wireless network is unlikely to be their prime target.

A band of hackers wardriving around with a van of 200 PS3s to intercept unsecured wireless connections and perform man-in-the-middle attacks on individual households in the hope that one of those households will access internet banking on one of the sites the hackers have spoofed right when the hackers are watching is simply not a plausible scenario.

Encrypting your wireless is still a good idea for many reasons, but the threat that hackers might use this specific exploit against you is not one of them.
posted by Pyry at 7:30 PM on December 30, 2008


The only good thing is that at least most certificates have a fixed lifespan (typically six months, one, or two years), so eventually all the old ones will expire and need to be regenerated anyway.

In the meantime, it might be fun to set up a little computing grid, sneak a program onto a machine on some really fat wire somewhere on the net, spoof a CA and start man-in-the-middle hacking bank accounts until we find one that has Verisign's money, then drive the bank out of business. We could do that in under 6 months. Sounds like there's no security in place to prevent that now.

Oh, and if homeland security is listening, I am totally kidding.
posted by Xezlec at 8:04 PM on December 30, 2008


A band of hackers wardriving around with a van of 200 PS3s single small computer, such as a cell phone to intercept unsecured wireless connections [FTFY]

(The part of their attack that involved 200 playstations, searching for an MD5 collision, only needs to be done once.)
posted by finite at 8:16 PM on December 30, 2008 [1 favorite]


The part of their attack that involved 200 playstations, searching for an MD5 collision, only needs to be done once.

Well then that certainly lightens their van. Still, if I were a hacker I would go with Xezlec's plan.
posted by Pyry at 9:54 PM on December 30, 2008


Pshaw. If they'd done it with Atari 2600's, then I'd be impressed.
posted by bardic at 11:36 PM on December 30, 2008


In my support wanderings, I have encountered people trying to MitM home internet connections (local kid pissing about), and on cafe networks (someone trying to steal passwords). I have yet to encounter my ISP trying to MitM, or at least they're more subtle about it.

People can at least protect their own network from wardrivers, their own PC from trojans, and their own wireless use on the go from spoofers. There's precious fuck-all they can do about someone screwing with the tier 1 ISP enroute to their bank.

Hopefully though, the existing security measures to stop people putting MitM trojans on core systems will continue to operate. Maybe I'm reading the wrong papers, but the only people I know with those kind of resources and ability to trojan at that level are ISP approved services like phorm, or national governments. And they already have the power to go through your bank account.

If this MD5 setup up your own CA-authority exploit becomes a known exploit rather than one only dedicated researchers working for two years have shown able to do so far, then yes, it would make online security effectively dead. This is a red-alert for CA's still issuing MD5 certs, and the trusting of those certs via current browsers, which should be fixable. Even just issuing a random serial number as part of the returned cert effectively kills this attack. Individual MD5 certs issued to endusers are also theoretically spoofable, but it's a helluva lot easier to find a collision when you can pick both the certs you send to the CA, and the one you swap it out for.
posted by ArkhanJG at 2:21 AM on December 31, 2008


Thanks for the post!

I'm really impressed by the quality of Metafilter people. Basically all of you get this without needing anymore information.

In short, we only needed to perform this attack once and we have CA that can issue arbitrary certificates. In theory, if you have MD5 basically anywhere in the chain, you have an issue (our demo tool issues certs with SHA-1 >:-) ). Practically, there's one point in which it's perfectly fine for now and that's the self signature from the CA on its own root cert. At least until second preimage attacks become a reality against MD5. When that happens, all bets are off.

It is however pretty much impossible to know if a CA signs with MD5 without purchasing a cert. Hopefully CAs will explain in the future what they sign with as a selling point. But also hopefully we'll be rid of commercial CAs and then most of this issue is irrelevant.

I personally think that all certs issued with MD5 should be called into question. Specifically if they were signed by a CA after the first really public attacks on x509. Those MD5 attacks were demonstrated by our co-authors. The chosen prefix attack is very powerful. It would be foolish to pretend that it was impossible for someone to pull off this attack without disclosing it.

We didn't release the private key (sorry) and we back dated the certificate (it's expired) to prevent harm if someone were able to steal it. I also hope this starts a dialog about SHA-1 because it's likely to fall someday too, possibly soon. We need to understand and adapt to the fact that cryptographic primitives can be broken overnight. Making a practical attack will come shortly afterwards and it won't always be public.

Anyway if you guys have any more questions, I'll check back here and answer what I can...
posted by ioerror at 6:45 AM on January 3, 2009 [4 favorites]


« Older Farewell to All That...  |  Clips from the BBC documentary... Newer »


This thread has been archived and is closed to new comments