a complex problem: md5-signed certs from a rogue trusted ca

More information about recent MD5/CA Root attacks (links from SANS):

in the authors’ words
powerpoint slide deck
microsoft advisory (…ok)

Very few entities can actually do anything about this, and it takes quite the effort and knowledge on behalf of an attacker (not surprising for a weakness pointed out in part by academics). But the impact seems pretty big, if I’m reading the details correctly (I’ll be the first to admit PKI and cert signing and trusting makes my head spin). All an attacker needs to do is collide and forge one rogue CA, and everything crumbles after that.

From my brief look there is one objective from this attack: Be able to MITM SSL connections using a rogue CA cert that the browser will trust because it matches what comes with the browsers (this assumes you can MITM the traffic in the first place).

From my brief look, this is the impact: You can potentially not trust every SSL cert out there. The holy grail, if I may call it that, of browser SSL/cert security lies in the strength of the root CAs that are shipped with the browser. Even a single weak one means any SSL can be forged and then implicitly trusted by that browser. Combine that fake trust with the ability to redirect and MITM traffic and you break down SSL trust.

Biggest issues for consumers #1: Phishing sites would probably love to get their hands on a rogue but trusted CA because that would mean they could forge their own certs and avoid that annoying popup about a cert being untrusted. Governments might want to pocket this information for cyberwarfare purposes. If you can redirect all traffic from a hostile entity to your servers, you can then MITM SSL quietly. I bet China would pay dearly for a trusted rogue CA…

Biggest issues for consumers #2: In limited situations like a small network or wireless hotspot, an attacker can redirect all traffic to his server. If he has a trusted CA with which to sign his own certs, he can actually MITM the banking domain you know, and host a cert that your browser will trust. The old habits still hold true: do not do sensitive things on a wireless network or a network you do not trust.

Lesson: MD5 collisions were discovered years ago, and while theoretical, only required massive amounts of time and computational power to make reliable collisions. While MD5 was and is still useful, you can’t pile trust on top of a broken process and still trust it.