A powerful digital certificate that can be used to forge the identity of any website on the internet is in the hands of in international band of security researchers, thanks to a sophisticated attack on the ailing MD5 hash algorithm, a slip-up by Verisign, and about 200 PlayStation 3s.
"We can impersonate
Amazon.com and you won't notice," says David Molnar, a computer science PhD candidate at UC Berkeley. "The padlock will be there and everything will look like it's a perfectly ordinary certificate."
The security researchers from the U.S., Switzerland and the Netherlands planned to detail their technique Tuesday, at the 25th Chaos Communication Congress in Berlin.
At issue is the crypto technology used to ensure visitors to
Amazon.com, for example, are actually connected to the online retailer and not to a fake site erected by a fraudster. That assurance comes from a digital certificate that's vouched for and digitally signed by a trusted authority like Verisign. The certificate is transmitted to a user's browser and automatically verified during SSL connections -- the high-security web links heralded by a locked-padlock icon in the browser.
In theory, hackers could use such an attack in combination with a DNS attack to erect perfect counterfeit banking and e-commerce sites. In practice, though, it's unlikely real bad guys will ever use it. The work required substantial brain and computing power, and the fix is simple: Verisign, and the handful of smaller certificate authorities found using MD5, could simply upgrade to a more secure hash function, and instantly close the loophole.
more :
http://blog.wired.com/27bstroke6/2008/12/berlin.html
