Hackers create rogue CA certificate using MD5 collisions!
Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S. and Europe have found a way to target a known weakness in the MD5 algorithm to create a rogue Certification Authority (CA), a breakthrough that allows the forging of certificates that are fully trusted by all modern Web browsers.
The research, which will be presented today by Alex Sotirov (top left) and Jacob Appelbaum (bottom left) at the 25C3 conference in Germany, effectively defeats the way modern Web browsers trust secure Web sites and provides a way for attackers to conduct phishing attacks that are virtually undetectable.
The research is significant because there are at least six CAs currently using the weak MD5 cryptographic algorithm in digital signatures and certificates. The most commonly used Web browsers — including Microsoft’s Internet Explorer and Mozilla’s Firefox — whitelist these CAs, meaning that a fake Certificate Authority can display any site as secure (with the SSL padlock).
“We basically broke SSL,” Sotirov said in an interview ahead of his 25C3 presentation.