30 June 2008, 10:40

Many weak web server certificates threaten online shopping

https connections exist to help ensure that when somebody is engaged in a financial transaction over the internet they are actually connected to the correct site - such as a bank, online vendor, and so forth. However, due to an error in the OpenSSL library used by the Debian Linux distribution, weak cryptographic keys have been generated and put to use during a period of about one and a half years. If certificates using these weak keys are used, not only could criminals decode encrypted traffic, they could conceivably mimic https sites in the name of the online bank or vendor – this would typically be done in order to steal personal details such as credit card information, passwords, and so forth.

Recent studies by heise Security staff of several thousand valid certificates, none of which generated an error in a broswer, found that approximately one in 30 of these used weak keys - an alarmingly high number. Among these were online shops where people would be expected to enter their credit card details.

For a certificate to be accepted by a browser without issuing a warning, the certificate needs to be issued by a recognised certification authority (CA). All of those that we contacted said that they would revoke any weak keys and freely replace them, but it seems clear that not many certificate owners have checked and replaced their certificates.

But even revoking a certificate may not be enough. In many browsers, the default settings are such that they fail to check server certificates, and do not check the Certification Revocation Lists (CRL) that identify those certificates that have been revoked by a CA. Ideally, all browsers should check which certificates have been blocked using the Online Certificate Status Protocol (OCSP). However, Firefox only supports it in its latest version 3 and Internet Explorer 7 only on Vista. Even worse, there are some CAs that do not support OCSP. heise Security found that only about 30 per cent of the checked certificates contain OCSP URIs. Users need to make sure the correct settings are made in their browser, otherwise, even though a certificate has been blocked and put on the CRL, it could still be used by an attacker until its natural expiry date.

In order that certificate owners may be able to check if their certificate uses a weak key, we have made available on this website a tool that will run a check for you. All that is needed is for you to enter the relevant host name, and the system will check if the associated certificate uses a weak key. To the best of our knowledge, all the keys on our lists are genuinely weak keys, and so the test should not produce any false alarms. The list of vulnerable keys covers all common platforms and configurations (32-/64-bit and big-/little-endian systems); and supported key lengths are 512, 1024, 2048 and 4096 bits.