Cracks Emerge in a Web Security Scheme

Posted by: Aaron Ricadela on December 30, 2008

Like many computer security threats, a new weakness in Web commerce emerged today from the grass roots. Researchers said Dec. 30 they’d used 200 PlayStation 3 video game consoles to defeat a Web security mechanism in three days of computing time.

A team of security researchers from the United States, Switzerland, and the Netherlands demonstrated at a conference in Berlin Dec. 30 a way to create fake versions of some digital certificates that are used to batten down E-commerce and online banking Web sites by encrypting information sent through them. The vulnerability in the Web commerce encryption system could let hackers lure PC users to bogus sites in order to pilfer their information, while the users’ Web browsers continue to show the familiar closed padlock icon that indicates a Web site is secure.

The flaw in the algorithm has been known for several years, but the researchers greatly shrunk the presumed length of time it takes to produce a forged certificate, exposing a greater weakness in the system.

Here’s what happened: “Certificate authority” companies, such as VeriSign, issue digital certificates that verify to browsers the legitimacy of Web sites that users visit. The digital signature for each certificate is supposed to be unique. When a site is ready to accept information securely, a padlock icon appears on users’ browsers, letting them know their information’s encrypted and it’s safe to proceed.

The researchers in Berlin showed how to exploit a weakness in an older cryptography scheme used by some certificate authorities, including one called RapidSSL, to create a fake certificate that the authorities would be tricked into signing. A hacker could use that fake to redirect users of a site that had been attacked in this way to a counterfeit site, in order to steal users’ information, the researchers said. "The research is a significant mathematical accomplishment," said Johnathan Nightingale, a security lead at Mozilla, in an e-mail interview.

Microsoft, which makes the Internet Explorer browser, issued a security advisory Dec. 30 that said it’s urging certificate authorities to switch from the vulnerable algorithm to a newer, more secure one. Mozilla, maker of the Firefox browser, said in a blog post that users should be especially aware when visiting Web sites that require sensitive information, especially from public Internet connections. VeriSign, which owns RapidSSL, said in a Dec. 30 blog post that it’s fixed the security problem for its certificates, and plans to phase out the older, vulnerable algorithm by the end of January.

VeriSign, Microsoft, and Mozilla all said they aren’t aware of actual attacks based on the demonstration. And as soon as certificate companies start using the latest algorithm, the loophole is closed. Still, the demonstration shows how more powerful everyday machines could arm hackers with the tools to undermine the Web’s security tenets using the brute force of computing power.

Reader Comments

Truth Now

December 31, 2008 12:31 AM

How much longer will you continue to accept the Bush regime's "official story" of Sept 11th and ignore the overwhelming evidence to the contrary???

I do NOT believe our trillion-dollar air defenses & intelligence network was defeated by Osama bin-Forgotten & his 19 lackeys with box-cutters! Hijacked airliners flew all over the eastern U.S. for hours without any meaningful response nor pursuit!? While Dick Cheney just happened to be conducting similar “war games” that fateful morning!? (Yes, Google it!)

Next, an airliner with a 125' wingspan disappeared though a 16' foot initial impact hole at the Pentagon! How??? All clear videos of what blew-up the Pentagon are being withheld to this day! Why???

That afternoon, yet another implausible phenomena occurred at a building that housed the CIA, FBI, SEC, IRS, etc. WTC Building #7 had minor damage & small, scattered fires, yet it imploded in a controlled demolition!? Larry Silverstein, the very over-insured leaseholder, said:

"I remember getting a call from the, er, fire department commander,
telling me that they were not sure they were gonna be able to contain
the fire, and I said, 'We've had such terrible loss of life, maybe the
smartest thing to do is pull it.' And they made that decision to pull
and we watched the building collapse."

Most people are beginning to accept the fact that Cheney allowed Sept 11th to proceed on purpose.

It's time for all good men & women to speak out about the NWO/globalists, rather than be a gatekeeper of the truth!!! Wake-up everyone now!!!

I want answers from you!

Thomas

December 31, 2008 1:17 AM

Wouldn't it be funny if someone replaced the UNLOCKED bitmap with some LOCKED bitmap, then everyone would think the ENTIRE SECURITY infrastrucure was compromised. All bogus sites would appear secure. Trust in only God.

Cowboy

December 31, 2008 1:35 AM

Now they call Hacking = Research. Unless this research is officially sanctioned by the owners it is hacking as far as i am concerned. In any case if the flaws were known and not fixed prior to this Research the owners of these flawed algorithms may be sued for damages.

M.Terry

December 31, 2008 1:43 AM

So, what code is there to identify counterfeit websites?

continuump

December 31, 2008 4:29 PM

ALL ENCRYPTED S/W IS HACKERBLE! THAT'S SCIENCE, NOT ME SPEAKING. That also goes for any Level 2-7 appliance like routers, the Cloudshilds, RSA's, etc. from anyone. if you want to prevent breaches one must use a OSI Level One (1) platform with Common Criteria, DARPA 98, PVI-DSS Standards. capable to switching in under a millionth of a second when any anomily is detected. Our networks stay up when attacked! Unfortunately,the CIO's & CTO's are being blinded by the "Goliaths." Meanwhile, our clients don't have any of these problems. For example: the Canadian Govt, major metro NY County's Data Centers, etc. Mr. Ricadela, you may want to interview me & teaam & verify by due diligense our claims.
Continuump@gmail.com

References: 1) Professor Bill Caeiili: The problem haunting all critical information-sharing efforts is the threat of deliberately planted malicious software designed to subvert the very protection mechanisms relied upon to protect valuable assets from compromise. No vendor today can procure or offer a platform that offers the technical basis to trust system protections respecting integrity or confidentiality of the data of different domains against subversion by a targeted attack using deliberately planted malicious software.
Encryption doesn’t solve the problem -- a fact that will continue to bedevil MLS efforts on any platform in the market today. Professor Bill Caelli has written:
"It is common ... for the banking and finance industry to explain their security parameters to customers in terms of 128 & 256-bit cipher, SSL implementation without any discussion at all of the system security at each end of the "line".... This trend totally ignores the fundamental fact that such encryption will only be as secure as the operating system structure in which it sits. The emphasis must then move back to the
"TCSEC/Common Criteria" environment and reasonable proof that software and hardware based encryption structures are fully protected. Contrary to accepted ideas, then, the use of cryptography actually enhances the need to reconsider security functionality and evaluation at the operating system and hardware levels ... " Bll Caelli, “Relearning “Trusted Systems” in an Age of NIIP: Lessons from the past for the Future”, 2003.

2) This journal publication is the one single best document that defines the problems and suggests the solution:

“SNAKE-OIL SECURITY CLAIMS”
THE SYSTEMATIC MISREPRESENTATION
OF PRODUCT SECURITY IN THE
E-COMMERCE ARENA
John R. Michener, Ph.D.*
Steven D. Mohan, D.CS.**
James B. Astrachan, J.D., LL.M.***
David R. Hale, J.D.****
Cite as: John R. Michener, Steven D. Mohan,
James B. Astrachan and David R. Hale,
“Snake-Oil Security Claims” The Systematic Misrepresentation
of Product Security in the E-Commerce Arena
9 Mich. Telecomm. Tech. L. Rev. 211 (2003),
available at http://www.mttlr.org/volnine/Michener.pdf

Post a comment

 

About

Bloomberg Businessweek writers Peter Burrows, Cliff Edwards, Olga Kharif, Aaron Ricadela, and Douglas MacMillan, dig behind the headlines to analyze what’s really happening throughout the world of technology. Tech Beat covers everything from tech bellwethers like Apple, Google, and Intel and emerging new leaders such as Facebook to new technologies, trends, and controversies.

Categories

 

BW Mall - Sponsored Links

Buy a link now!