Website Security Certificate Exploit Found
CNET reports that an international team of researchers will announce this today.
They plan to demonstrate how to forge security certificates used by secure Web sites, a process that would allow a sufficiently sophisticated criminal to fool the built-in verification methods used by all modern Web browsers--without the user being alerted that anything was amiss.
The problem is unlikely to affect most Internet users in the near future because taking advantage of the vulnerability requires discovering some techniques that are not expected to be made public as well as overcoming engineering hurdles: performing the initial digital forgery consumed approximately two weeks of computing time on a cluster of 200 PlayStation 3 consoles. In addition, a criminal needs to find a way to reroute traffic from a legitimate Web site to his own, perhaps through techniques that have become well-known in the last few years.
Hijacked certificate. Note the "issued by" MD5 Collisions Inc.
David Molner, a doctoral student in computer science at the University of California at Berkeley, and six other researchers plan to present their findings during an afternoon session of the Chaos Computer Club's annual conference here on Tuesday. Other team members include Jacob Appelbaum and Alexander Sotirov.
The exploit is not linked to any particular browser but rather uses a mathematical vulnerability in the 17 year old MD5 algorithm.
Valid SSL Certificate
SSL Certificates are issued by a select group of "Trusted Root Servers" and then installed on web servers after verification measures are made that the server is in fact the one listed on the certificate. When you visit a secure web page (https) a valid certificate is represented by the lock symbol in the bottom right of your browser. If the certificate has an issue, browsers will usually indicate this with a popup or a generated warning page to give notice to you before you precede further.
Although this exploit is said to be very complicated to achieve it does show the need to develop a better encryption algorithm.