MD5 Broken

This is absolutely huge and devastating news. A weakness in the MD5 hashing algorithm presented today allows for spoofing hashes by creating a “collision”, ie a different message that hashes to the same thing as a target message. What does that mean to you and me? That means that this weakness can allow SSL certificates to be forged that will be recognized as valid by your browser. This is a “holy crap” moment for everyone that depends on these, such as say anyone that does banking online or ever uses a credit card online. Also excreting bricks I’m sure is Verisign, who rakes in large amounts of money by minting these certificates.

It’s a shame this came out during the holidays because I have coworkers who spend all their time thinking about and working on these kinds of issues. I’m looking forward to talking about it with them on Monday. For now, I’m curious how quickly certificates can be reissued with non-broken hashes.

Update: My second paragraph doesn’t make much sense. Rereading the abstract, it seems like the worst risk here is that phishing sites will forge SSL certs that verify, and state that they are the organization they are impersonating. So, you follow a phishing link and when you click the lock icon, it says that it is from Bank of America, or whomever. The risk is not in existing certificates, the risk is that new ones can be forged at will.

In comments, Andrew links to Verisign’s response. As I read their response, it is all about the security of currently issued certs, and does not address the future where validity of a cert can no longer be treated as validity of the site. I wonder if the next step is for Mozilla and IE to explicitly deprecate all certs that use an MD5 hash and only validate fully if SHA-1 is used? I’m not sure at this point what the remediation is. After sleeping on it, it still seems huge.

7 Replies to “MD5 Broken”

  1. I’m curious how quickly certificates can be reissued with non-broken hashes.

    I’m sure there is a great scattered, covered and smothered Waffle House joke in there somewhere, but I’m drawing blanks.

  2. Damn, I’d seen some short blurbs about this earlier in the day; I was going to read the details later. Had no idea it was this bad.

    I notice, though, on doing a spot check of the certs in my browser, that there’s a SHA1 fingerprint for each cert, in addition to the MD5 one. Does the browser care only about the MD5 hash in determining the authenticity of certs? Or, does spoofing an MD5 hash also mean the SHA1 is spoofed as well? My ignorance of these things is appalling.

    Looking forward to updates, after your conversations with your coworkers.

    In a totally non-related topic, I’m also looking forward to the punkin’ soup recipe. 🙂

    -k-

  3. Verisign pretty much can’t seem publically worried. They sell confidence, in a matter of speaking. If they start showing a lack of confidence, they devalue their product.

    They panic is probably behind the scenes.

  4. Agreed, James…confidence is what they sell, so they have to look cool to the world while they stress on this.

    Ken, the biggest issue I can think of wrt the varying hashes is old browsers. I’d have to load some old machines to look, but I don’t know at what point SHA1 fingerprints started to be supported…the MD5 hashes almost certainly are there for backwards compatibility, since everyone’s known (at least in the abstract) this general break was coming for some time. Still surreal to see it actually working, though.

    But if some of the old browsers out there in general use don’t support SHA1 hashes, they’re in serious trouble. There’s no real way to “fix” it. And I expect those are the exact people (less experienced users) that are most likely to click on phishing type links as well. Ick.

    Good news is that SHA1 fingerprints aren’t spoofed along with the MD5 one, and no one is currently (publicly) even close to a general break in SHA1 that I’m aware of.

    Bruce Schneier kind of shrugs it off on his blog, but that’s (IMO) more from a) an academic’s perspective that’s unsurprised by the MD5 break, since he’s all over that literature, and b) a security researcher who has become somewhat blase to how willing people are to click through an “invalid cert” message. To me, though, this is still pretty huge.

  5. You’re correct on all counts, Dave:

    1) Verisign is covering their asses by basically asserting that certs they have issued are valid (duh), but try their darnedest to not touch with a hundred yard pole the issue of forged certs.

    2) The only thing to do is :

    2a) the CAs issue certs from now on with only SHA-1 hashes

    2b) everybody starts researching another hash to use, because SHA-1 is already partly weakened ( http://www.computerworld.com/securitytopics/security/story/0,10801,99852,00.html )

    2c) browsers deprecate certs with only MD5 hashes

    2d) until 2b happens, browsers continue checking both hashes when a cert has both MD5 and SHA hashes

Comments are closed.