Root CA spoofing sucessful

A proof of concept attack has been presented at 25C3 (http://events.ccc.de/congress/2008/) showing that it is possible to use the well known MD5 hash collision insecurity to create your own ‘Certificate Authority’ (CA) signing certificate which is already accepted as trusted by most of the major browsers.

This allows an attacker with this root CA key to sign any other certificates he wishes, and all of these will be trusted by client browsers.

Scenario: In the past, if you went to your online banking website and a certificate error appeared, you would suspect something was up, possably you were being Man-in-the-middled and you were being proxied through a malicious machine, or alternativley your DNS had been poisoned and the site you were looking at was not the real bank’s site. You knew this BECAUSE of the certificate error and the attacker could do nothing about it because he was not able to get the private key of the bank’s certificate, or have his own bank certificate pair signed by a signing authority. The attacker just had to hope the user just clicked ‘Continue anyway’ etc.

However now, the attacker basically has the public and private key for a root CA certificate installed in your browser, he can sign any certificate pair he wants, and it will be trusted. How do you differentiate now? when both the real bank and attacker bank site come up with a rosy green SSL bill of health?

Creation of such a certificate only works against certificate authorities that still use MD5 (RapidSSL was used in this particular exploit) and with the release of this information, I should hope that the number of CA’s using this == 0 in a very short while 🙂

This has been a very crude and technically lacking explanation, however I suggest you read the following link for a much more indepth step by step process on how this was carried out;

http://www.win.tue.nl/hashclash/rogue-ca/

//Matt