placement for flash
Home > All Blogs > Cryptography Blog
1/6/2009 9:27:00 AM

SSL is not broken; MD5 is and has been for a long time

by Andrew Y. Lindell

Recently, seven researchers succeeded in constructing a full-fledged certificate that was never issued by a CA, but will be accepted by any browser who trusts a certain CA; read more here. They did this by finding two certificates that have the same MD5 hash: the first certificate is legitimate and was issued by a given CA, while the second never would have been and can be used to attack a website. The ramifications of this result are significant, but it is important to understand them properly.

First and foremost, the attack has nothing to do with the SSL protocol, but rather is an attack on the MD5 hash function. MD5 was broken a long time ago and should never be used by any self respecting CA. So, if a CA is using MD5, we should remove it's root certificate from our certificate store. Such a CA is at best grossly negligent!

Second, this is yet another reminder that once significant weaknesses have been demonstrated on a cryptographic primitive, it should no longer be used. The argument that a revealed weakness is not yet a practical attack - and therefore one can continue to use the primitive - is a dangerous one. The MD5 collision attacks are an excellent example of this. Until now, most attacks on MD5 did not have any practical use (especially not with respect to web security). However, a real attack did not take too long to come along. Certificate authorities who did not heed this, and are still allowing the use of MD5 in new certificates, are behaving recklessly and irresponsibly.

In conclusion, SSL is fine and the problem is not there. The problem lies in our Public-Key Infrastructure and in the fact that our root certificate store comes with CAs who are irresponsible. The solution is simple: remove all such CAs from your certificate store. Since this is not trivial for the average user (indeed, as a regular user, I may not even know if a given CA allows the use of MD5), I would hope that this will be done in an automatic security patch by Microsoft and others.

Currently rated 5.0 by 2 people

  • Currently 5/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

Cryptography | Security

emailEmail   Digg thisDigg this   del.icio.usdel.icio.us   Slashdot It!Slashdot It!
Permalink | Comments (2)

Comments

1/24/2009

What is your opinion on applying compression after fragmentation in SSL and is there a reason for such design? Do you consider this to be a weakness?

tea.packs@hotmail.com

1/27/2009

Fragmentation and compression have no influence on the security of the protocol. Compression used to be considered important when weak encryption schemes (like substitution ciphers etc.) were used because compression reduces the redundancy of the message. However, today we use strong encryption algorithms and so compression neither helps nor harms. This also means that it doesn't matter when or how it's done (the only effect of fragmentation before compression is to possibly reduce the quality of the compression which as I said has no security ramifications in any case). Personally, I wouldn't bother compressing in SSL at all; if compression helps then the application using SSL should really do the compression.

Andrew Y. Lindell

 
© Aladdin Knowledge Systems Ltd. 1985-2009. All rights reserved.