MD5 SSL Summary
Last Updated: 2008-12-30 21:46:19 UTC
by Johannes Ullrich (Version: 1)
I would like to quickly summarize the SSL MD5 issue presented at the CCC congress in Berlin today. Let me start with a quick FAQ:
- How bad is it?
Bad. But we will survive. The problem makes it possible to create "perfect" phishing sites with valid SSL certificates. The protocol impacted the most is probably HTTPS. But other protocols that use SSL may be affected as well.
- What can I do? What do I have to do?
Not much. This is not a "bug" in your browser. The protocol is not "broken". Just the way it is used by some certificate authorities is broken. If you use SSL for purposes like an SSL VPN, you may be able to limit the number of CAs you trust. The more you can limit it, the better.
- Is my SSL certificate "affected"
Maybe. See the vendor bulletins below for more details. It depends on who you got your certificate from. However, even if your certificate uses SHA1, someone could still use a fake MD5 certificate to impersonate your site.
- Why switch to SHA1 and not RIPEMD/SHA2...
Well... SHA1 is universally supported by current SSL libraries. SHA2 is still new and not well supported.
- What protocols other then HTTPS are affected
Everything that uses SSL. Most notably: SSL VPNs, S-MIME. ssh is not affected.
So what is the problem? The problem is that some certificate authorities use MD5 hases to validate certificates they issue. MD5 hashes have been shown to be weak for a while now, and this is just yet another attack using these known weaknesses. These certificate authorities have to change the way they do business (e.g. they have to use SHA1 hashes). Your browser includes a set of trusted certificate authorities. Sadly, some very popular CAs do use MD5s. Disabling these CAs is not recommended or feasible. The attack is still not easy, but very much possible and not just "theoretical". The researchers uses a cluster of 200 Playstation3 systems, and it took them a couple days. So a resonable size botnet would do it probably faster.
Once you have the fake duplicate CA, you could sign certificates at will and a browser would trust them. This can now be used for MiM (Monkey in the Middle) attacks and to impersonate trusted websites.
Basic "best pratices" still apply. This attack is not a "game changer". Most attack will probably still use bad certificates and ask the user to click "ok" to accept the bad certificate.
So short summary: It is bad, but there isn't much you can or need to do right now. Just stay vigilant and read the vendor announcements below for more details:
(we will add more as we find them)
Johannes B. Ullrich, Ph.D.
SANS Technology Institute