Cracks Emerge in a Web Security Scheme

Like many computer security threats, a new weakness in Web commerce emerged today from the grass roots. Researchers said Dec. 30 they’d used 200 PlayStation 3 video game consoles to defeat a Web security mechanism in three days of computing time.

A team of security researchers from the United States, Switzerland, and the Netherlands demonstrated at a conference in Berlin Dec. 30 a way to create fake versions of some digital certificates that are used to batten down E-commerce and online banking Web sites by encrypting information sent through them. The vulnerability in the Web commerce encryption system could let hackers lure PC users to bogus sites in order to pilfer their information, while the users’ Web browsers continue to show the familiar closed padlock icon that indicates a Web site is secure.

The flaw in the algorithm has been known for several years, but the researchers greatly shrunk the presumed length of time it takes to produce a forged certificate, exposing a greater weakness in the system.

Here’s what happened: “Certificate authority” companies, such as VeriSign, issue digital certificates that verify to browsers the legitimacy of Web sites that users visit. The digital signature for each certificate is supposed to be unique. When a site is ready to accept information securely, a padlock icon appears on users’ browsers, letting them know their information’s encrypted and it’s safe to proceed.

The researchers in Berlin showed how to exploit a weakness in an older cryptography scheme used by some certificate authorities, including one called RapidSSL, to create a fake certificate that the authorities would be tricked into signing. A hacker could use that fake to redirect users of a site that had been attacked in this way to a counterfeit site, in order to steal users’ information, the researchers said. "The research is a significant mathematical accomplishment," said Johnathan Nightingale, a security lead at Mozilla, in an e-mail interview.

Microsoft, which makes the Internet Explorer browser, issued a security advisory Dec. 30 that said it’s urging certificate authorities to switch from the vulnerable algorithm to a newer, more secure one. Mozilla, maker of the Firefox browser, said in a blog post that users should be especially aware when visiting Web sites that require sensitive information, especially from public Internet connections. VeriSign, which owns RapidSSL, said in a Dec. 30 blog post that it’s fixed the security problem for its certificates, and plans to phase out the older, vulnerable algorithm by the end of January.

VeriSign, Microsoft, and Mozilla all said they aren’t aware of actual attacks based on the demonstration. And as soon as certificate companies start using the latest algorithm, the loophole is closed. Still, the demonstration shows how more powerful everyday machines could arm hackers with the tools to undermine the Web’s security tenets using the brute force of computing power.

Before it's here, it's on the Bloomberg Terminal.