Earlier today at the Chaos Communication Congress in Berlin, three researchers presented a paper in which they had used an MD5 collision attack and substantial computing firepower to create a false SSL Certificate using the RapidSSL brand of certificates. The live presentation should be available for download as well.
I'm happy to announce that this attack articulated this morning has been rendered ineffective for all SSL Certificates available from VeriSign.
We applaud security research of this sort and are glad that white hats like the "MD5 Collision Inc." group make a point of investigating online security. This group went to great lengths to keep its findings private, and unfortunately that included ensuring that VeriSign did not receive any of this information ahead of the actual presentation, rendering it impossible for us to begin work on mitigating this issue prior to this morning. So I'll caution you that these responses are preliminary, and if it turns out that any of the information we've received is inaccurate, my responses may change. Fortunately, VeriSign has already removed this vulnerability. Here are some likely questions and their responses based on what we know as of this morning.
Q: Is the information in the paper and presentation accurate?
A: As mentioned, we only receive this information this morning. Our preliminary view doesn't reveal any inaccuracies in the information presented.
Q: How will VeriSign mitigate this problem?
A: VeriSign has removed this vulnerability. As of shortly before this posting, the attack laid out this morning in Berlin cannot be successful against any RapidSSL certificate nor any other SSL Certificate that VeriSign sells under any brand.
Q: Does that mean VeriSign has discontinued use of MD5?
A: We have been in the process of phasing out the MD5 hashing algorithm for a long time now. MD5 is not in use in most VeriSign certificates for most applications, and until this morning our roadmap had us discontinuing the last use of MD5 in our customers' certificates before the end of January, 2009. Today's presentation showed how to combine MD5 collision attacks with some other clever bits of hacking to create a false certificate. We have discontinued using MD5 when we issue RapidSSL certificates, and we've confirmed that all other SSL Certificates we sell are not vulnerable to this attack. We'll continue on our path to discontinue MD5 in all end entity certificates by the end of January, 2009.
Q: Is Internet security broken?
A: Hardly. The presenters of this morning's paper stressed that it took them a long time and a great deal of computational power to succeed in their collision attack. VeriSign has already eliminated the attack as a possibility.
Q: How many certificates are affected?
A: Zero. No end entity certificates are affected by this attack. The attack, when it worked, was a potential method for a criminal to create a new, false certificate from scratch. Existing certificates are not targets for this attack.
Q: What happens to customers who have certificates in place using the MD5 hashing algorithm?
A: Today's research revealed a potential attack that required the issuance of new certificates. Existing end entity certificates are not at risk from this attack. Nonetheless, any customer who would like to do so can replace any MD5-hashed certificate free of charge. Until further notice VeriSign is suspending its normal replacement fees for these certificates. Because this replacement is not necessary to ensure the continued security of sites, we are not requiring the replacement of such certificates, as we have previously with the likes of weak Debian keys.
Q: The researchers stated that Extended Validation SSL is a defense against this problem. Is that true?
A: Yes. The Extended Validation SSL Certificate standards prohibit the use of MD5. So no EV certificate in compliance with the standards uses MD5. I can tell you factually that no EV SSL Certificate on the VeriSign, thawte, or GeoTrust brands uses MD5.
Q: These researchers have discussed their desire to maintain secrecy so that the hammer of legal action couldn't be used to prevent publication. Does VeriSign intend to sue these researchers?
A: Security researchers who behave ethically have no reason to fear legal action from VeriSign. Since its inception VeriSign has been one of the world's leading forces for online security, and the company has consistently used its resources and expertise to assist online security's progress. In fact, VeriSign is itself a white-hat security research firm (through our widely respected iDefense Labs), and we understand the concept of "ethical hacking." We're disappointed that these researchers did not share their results with us earlier, but we're happy to report that we have completely mitigated this attack.