Response To MD5 Collision
December 30, 2008
Earlier today at the Chaos Communication Congress in Berlin, three researchers presented a paper in which they had used an MD5 collision attack and substantial computing firepower to create a false SSL Certificate using the RapidSSL brand of certificates.
I'm happy to announce that this attack articulated this morning has been rendered ineffective for all SSL Certificates available from VeriSign.
We applaud security research of this sort and are glad that white hats like the "MD5 Collision Inc." group make a point of investigating online security. This group went to great lengths to keep its findings private, and unfortunately that included ensuring that VeriSign did not receive information about the findings ahead of the actual presentation, rendering it impossible for us to begin work on mitigating this issue prior to this morning. Fortunately, VeriSign has already removed this vulnerability. Here are some likely questions and their responses based on what we know as of this morning :
Q : Are the researchers’ claims about the MD5 vulnerabilities accurate?
A : Because the researchers did not brief VeriSign on their findings, we have only gotten this information today. There is nothing in the research that upon cursory examination appears to be inaccurate. As we have the opportunity to properly examine this paper, we will have a more definitive response to this question.
Q : How has VeriSign mitigated this problem?
A : VeriSign has removed this vulnerability. As of approximately 11:00 am this morning, the attack laid out this morning in Berlin cannot be successful against any RapidSSL certificate nor any other SSL Certificate that VeriSign sells under any brand.
Q : As a site operator what do I need to do to protect the security of my site?
A : No action is required of our customers. No existing certificates are affected by this attack and the vulnerability has been rendered ineffective for all RapidSSL Certificates moving forward.
Q : Is VeriSign going to stop using MD5 as a result of these findings?
A : VeriSign has been phasing-out MD5 over the past two years; the planned phase out date has been on the road-map for late January 2009 (less than one month from now). In light of today's presentation, VeriSign will be accelerating this phase-out to the earliest safe date. We will notify the public when the phase-out is complete. As of today, we have discontinued using MD5 when we issue RapidSSL certificates, and we've confirmed that all other SSL Certificates we sell are not vulnerable to this attack.
Q : Why has it taken so long for VeriSign to phase out MD5?
A : Sunsetting a legacy technology within a business ecosystem takes time to be phased out as revoking and replacing certificates could potentially halt a customer's online business. As mentioned above, VeriSign will be accelerating this phase-out to the earliest safe date. We will notify the public when the phase-out is complete.
Q : How many Web sites are affected?
A : Zero. The attack, when it worked, was a potential method for a criminal to create a new, false certificate from scratch. The researchers did not demonstrate an attack against existing end entity certificates. In other words, you can't use this attack to break a certificate that already has been issued to a site.
Q : Does the vulnerability impact only sites using RapidSSL certificates?
A : This vulnerability doesn't affect any existing end-entity certificates including RapidSSL.
Q : What happens to customers who have certificates in place using the MD5 hashing algorithm?
A : Today's research revealed a potential attack that required the issuance of new certificates. Existing end entity certificates are not at risk from this attack. Nonetheless, any customer who would like to do so can replace any MD5-hashed certificate free of charge. Until further notice VeriSign is suspending its normal replacement fees for these certificates. Because this replacement is not necessary to ensure the continued security of sites, we are not requiring the replacement of such certificates, as we have previously with the likes of weak Debian keys.
Q : The researchers mentioned that Extended Validation SSL Certificates are not vulnerable to the attack because they do not allow MD5. Is that true?
A : This is correct; EV SSL Certificates utilize the latest hash algorithm and are not affected by the newly-revealed MD5 vulnerabilities. Today the MD5 researchers specifically reinforced that EV SSL Certificates are safe from this attack. They stressed the need for consumers to move to EV-compatible browsers to get the most benefit from EV.
Q : Is Internet security broken?
A : Hardly. The presenters of this morning's paper stressed that it took them a long time and a great deal of computational power to succeed in their collision attack. VeriSign has already eliminated the attack as a possibility.
Source : VeriSign, Inc.