In association with heise online

FAQs

  • How do I find out whether a certificate is forged?

Unfortunately, there is no universal method for telling a forged certificate from an authentic one. What they all have in common is that they were issued by a CA that uses MD5. This is, unfortunately, also true for about 30 per cent of authentic certificates, which makes it impossible to verify whether a certificate is compromised based on this factor alone.

  • Can I find out whether a certificate uses MD5?

Yes, this is can be found at "Certificate Signature Algorithm" in the certificate's properties. Note, however, that the certificate itself doesn't necessarily need to use MD5. It is enough if one of the Certification Authorities used MD5, which makes it vulnerable. A compromised intermediate CA could very well be used to sign an SHA-1 certificate.

MD5 signature
Zoom Only a certificate's properties reveal the hash algorithm used.

The SSL Blacklist Firefox plug-in offers a way of checking this automatically. It displays a warning whenever a certificate is potentially compromised because of the MD5 problem. Inconveniently, this produces a large number of warnings, almost all of which are not related to an attack.

Warning issued bu SSL Blacklist.
Zoom The SSL Blacklist extension in Firefox warns of MD5 signatures.

  • Can I protect myself against forged certificate attacks in any way at all?

The perspectives Firefox extension currently offers a good chance to do so. It is based on the assumption that an attack on a https-encrypted transmission usually happens locally. The perspectives plug-in asks several "notaries" about the certificate they see. If they see a different certificate for the same server, chances are high that something is wrong – and the user's connection was, for example, diverted to a forged server.

Those who are willing to experiment can remove their browsers' trusted Certification Authorities and begin to manually check and create suitable individual exemptions for all their important certificates. The practical implications of this approach, however, have not yet been established – you're on your own there.

  • Isn't there a danger that gangs of criminals or intelligence agencies have already obtained a forged CA certificate in this way?

Unfortunately, this can't be ruled out completely. It is safe to assume that at least the intelligence agencies also have other ways of obtaining a certificate for an intermediary Certification Authority.

  • I have a web server certificate that uses the MD5 hash function. Does this put my customers at risk?

Not any more than other certificates. Nevertheless, you should ask your CA for a free upgrade to a SHA-1 signature to avoid causing attentive customers unnecessary concern and to speed up the abolishment of MD5.

  • Which CAs apart from RapidSSL still use MD5?

The researchers released the following list of CAs:

  1. RapidSSL C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1
  2. FreeSSL C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications
  3. TC TrustCenter AG C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/emailAddress=certificate@trustcenter.de
  4. RSA Data Security C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
  5. Thawte C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
  6. verisign.co.jp O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

We don't know whether this list is accurate and complete.

  • Are the Extended Validation Certificates which browsers mark with a green symbol also affected?

No. The EV SSL specification stipulates that CAs are not allowed to issue certificates using the MD5 hash function. In addition, only trusted EV CAs can sign EV certificates. However, the EV specification also stipulates that new root CA certificates can still be created using MD5 until the end of 2010. As these certificates are often valid for 20 years, this approach is a very optimistic one.

See also:

Print Version | Permalink: http://h-online.com/-746221
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit