I tried very hard to stay off the site over the holidays but, I found myself plugging away nonetheless. I tried hard to avoid tooting my “me too” horn on this story but, failed. So, unless you were camping in the wilderness for the last week you have no doubt heard about the MD5 problem that was brought out into the light by a group of researchers including Alexander Sotirov, Marc Stevens, Jacob Applebaum, Arjen Lenstra, David Molnar, Dag Arne Osvik and Benne de Weger. There were some folks that lashed out at them for the disclosure but, those folks are sadly misguided. This was a necessary action to body slam an object at rest.
From Network World:
SSL certificates are supposed to be unique identifiers for Web sites and other purposes, but on Dec. 30, an international team of researchers demonstrated at the Berlin Chaos Communication Congress event how they could exploit a weakness in the MD5 hash algorithm in VeriSign’s automated RapidSSL certificate-issuance service to gain possession of what they call a “rogue Certificate Authority certificate.”
“This certificate allows us to impersonate any Web site on the Internet, including banking and e-commerce sites secured using the HTTPS protocol,”
This was a required the kick in the nuts. Sadly, too often in order to fix a problem in this industry there has to be an event such as this or a massive failure. One CA in particular had this to say,
Callan expressed some frustration that the researchers hadn’t contacted VeriSign prior to their demonstration of RapidSSL’s vulnerability.
“VeriSign feels this kind of ‘white hat’ research is important, but we encourage them to share their findings with us,” he says. Despite some talk that VeriSign might consider taking legal action against such research, Callan emphasizes, “We wouldn’t use legal response to prevent disclosure.”
But, is he being accurate on this apparent lack of disclosure?
No.
Alex Sotirov responded yesterday,
I feel that this statement is inaccurate. Not only did we contact Verisign before our presentation to let them know about our research, we also strongly advised them to stop using MD5 as soon as possible and were given a chance to review their mitigation plans. I hope that Tim Callan’s post is a result of a simple miscommunication between the technical people at Verisign their marketing department.
He goes on to provide copies of email communications on his site posting. The CA’s are used to business as usual and quite often are want to change things. This was a welcome disclosure in my books. It’s borken. Fix it.