RealTime IT News

Certificate Flaw May Threaten Secure Web Sites

Digital certificate security

Security researchers have uncovered a vulnerability in the infrastructure used to secure Web pages on the Internet -- potentially allowing for the creation of rogue security certificates and the spoofing of sites like banking and e-commerce sites.

The news prompted at least one major certificate authority, VeriSign, to roll out fixes across its services that had been at risk from the vulnerability.

Earlier today, seven researchers from the U.S., Switzerland and the Netherlands said they succeeded in creating a rogue certification authority trusted by all common Web browsers, according to their blog.

Certification authorities act as trusted third parties to issue online certificates guaranteeing that the certificate's owner -- say, an e-commerce site -- is who they claim to be. Creating a rogue certification authority potentially enables a faked site to pass as legitimate.

Hackers could also attack Secure Socket Layer (SSL) connections or manipulate the traffic to secure e-mail servers, according to Alexander Sotirov, one of the researchers, in a post on his blog.

The researchers, who also include Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik and Benne de Weger, are scheduled to present their findings today at the Chaos Computer Club's 25th annual conference in Berlin.

In response, VeriSign (NASDAQ: VRSN) said it had issued fixes to address the problems detailed by the researchers, who said they identified VeriSign's Rapid SSL unit as one of the most vulnerable on the Web. According to the researchers' site, 9,000 of the 30,000 certificates they collected from all over the Web were signed using MD5. The researchers said 97 percent of those were issued by Rapid SSL.

"We've made code changes on all our platforms on our end, and nobody can get certificates from VeriSign on Rapid SSL or any of our other brands that this vulnerability can affect," Tim Callan, vice president of product marketing at VeriSign, told InternetNews.com.

Concerns about browser security are nothing new -- Mozilla patched several flaws in Firefox earlier this month at the same time Microsoft (NASDAQ: MSFT) was wrangling with reports of a vulnerability in Internet Explorer.

Yet the researchers' findings may stoke new fears that the recession will lead to an increase in cybercrime.

Assessing the risks

The researchers' findings center on MD5, or Message-Digest algorithm 5 , a cryptographic technique used in a variety of security applications -- and the source of a weakness that the team says can be leveraged in attacks. In 1996, a flaw was found with the design of MD5 and cryptographers began recommending the use of other algorithms. Other flaws in MD5 have been discovered over the years.

Page 2: Response to the threat