Skip navigation

Secure web sites can be forged – better standards needed

12 January 2009

Security researchers in the USA, the Netherlands and Switzerland have found a weakness in the Internet digital certificate infrastructure that allows attackers to forge certificates that are trusted by all commonly used web browsers. They found that forgers are able to impersonate secure websites and email servers and to perform virtually undetectable phishing attacks. This means that visiting secure websites may not be as safe as it is believed to be.

The discovery was presented at the 25C3 security congress in Berlin in December. It is hoped that by making this research public the development and adoption of more secure cryptographic standards on the Internet will be stepped up.

Indication that a website is secure (a small padlock appears on the URL line) is given through a system of digital certificates issued by a Certification Authorities (CAs). To ensure that the digital certificate is legitimate, the browser verifies its signature using standard cryptographic algorithms. The researchers discovered that one of these algorithms, known as MD5, can be misused. "The major browsers and Internet players – such as Mozilla and Microsoft – have been contacted to inform them of the discovery and some have already taken action to better protect their users," says Arjen Lenstra, head of the Laboratory for Cryptologic Algorithms at EPFL in Switzerland.

The research shows that MD5 can no longer be considered a secure cryptographic algorithm for use in digital signatures and certificates and that browsers and certification authorities should consider changing to use the more robust SHA-2 (and forthcoming SHA-3) standards. If you are worried about this affecting your company make sure you speak to your web manager and/or internet service provider.

Additional information

The team of researchers consists of: Alexander Sotirov (independent security researcher), Marc Stevens (Cryptology Group, CWI), Jacob Appelbaum (Noisebridge, The Tor Project), Arjen Lenstra (EPFL), David Molnar (UC Berkeley), Dag Arne Osvik (EPFL) and Benne de Weger (TU/e).

More information on the discovery may be found on the researchers’ websites:

www.win.tue.nl/hashclash/rogue-ca/
www.phreedom.org/research/rogue-ca/

Contact information

For other inquiries, please email the team of researchers: md5-collisions@phreedom.org


Photo, left to right: Benne de Weger, Arjen Lenstra, Marc Stevens, Jacob Appelbaum, David Molnar, Alex Sotirov
(Photo credit - Alexander Klink)

Want to comment? Join us on our LinkedIn discussion group.

You'll find free BCM resources and links to publications in Useful Business Continuity Management resources. There are links to Business Continuity training courses and advice on getting certified to BS 25999, the internationally recognised standard for Business Continuity Management.

Email Newsletter

Subscribe to our newsletter Subscribe to our newsletter to receive the latest Business Continuity Management news and information.

Training courses

View our BCM training courses View our Business Continuity training courses offered worldwide. These cover every aspect of BCM.
Feedback Form