Lab Notes

Creating a Rogue CA Certificate

At the Chaos Communication Congress today, researchers presented a paper describing their technique for forging certificates to appear as if they were signed by a trusted certificate authority. How they did it, in a nutshell:

1. Obtain a legitimate certificate from a certificate authority that uses MD5 in its signatures.
2. Generate a fake certificate for the rogue web site, adding an extension that contains a precisely calculated string of bytes so that the MD5 digest of the fake certificate matches the MD5 digest of the legitimate certificate from step 1 (this step took the researchers about 18 hours using an array of 200 Playstation 3 systems, whose Cell processor is especially adept at performing the kinds of computations necessary).
3. Copy the signature from the legitimate certificate to the fake certificate.

The upshot is that any certificate signed by an authority using MD5 is suspect. RapidSSL accounted for nearly all of the certificates that the researchers identified in their sampling, but Thawte and several others were also singled out. Beware of any web site that uses one of these certificates; even if your browser says that the certificate is valid, it may not be. (n.b., not all Thawte certificates are vulnerable; our own web site uses a Thawte certificate that was issued with a SHA-1 signature).

This presentation comes on the heels of last week's revelation that a certificate vendor has been issuing certificates with no verification. In that case, a user was able to get a certificate issued in the name of "www.mozilla.org" despite not having any affiliation with Mozilla.

And to bring this all back around to Elektron, I'll note that Elektron has always signed its certificates using SHA-1.