Tuesday, December 30, 2008

MD5 Collisions Allow Forged SSL Certificates

For quite some time we have been told about the weaknesses in MD5 and the potential for documents to be generated with the same md5. Hopefully many people have migrated away from md5; however, would you believe that several certificate authorities still use MD5. And some of these CAs are trusted by your browser!

What are the consequences of this you ask? An attacker can utilize the MD5 collision vulnerability to forge a certificate which contains the same MD5 as another valid certificate. The end result is that an attacker creates a forged certificate which is completely trusted by the browser!

Here are all the details - just released today.

Here is the list of certificate authorities using MD5. You may want to prune those root certificates from your browser

  • RapidSSL C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1
  • FreeSSL (free trial certificates offered by RapidSSL)C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications
  • TC TrustCenter AGC=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/emailAddress=certificate@trustcenter.de
  • RSA Data SecurityC=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
  • Thawte C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
  • verisign.co.jp O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

-Michael Coates