When you see the little padlock icon in your browser, it’s supposed to indicate that the Web page you are visiting is legitimate and that your connection is secure. Today, at the Chaos Computer Club’s annual conference in Berlin, a group of researchers undermined that assumption by exposing flaws in the underlying authentication mechanism that e-commerce relies upon.

A group of researchers represented by David Molnar, a doctoral student in computer science at the University of California at Berkeley, demonstrated a proof of concept of an exploit that bypasses Secure Sockets Layer (SSL) security safeguards. Every Web browser that implement SSL can be spoofed into displaying the padlock.

In short, the researchers successfully exploited a vulnerability in the MD5 algorithm that is used to verify whether or not SSL certificates are legitimate, enabling them to forge certificates that would be accepted by Web browsers. The certificates are used to authenticate the ownership of domains.

But don’t get too worked up just yet–there is a lot of work involved. Creating a forged certificate took the team over two weeks and required the muscle of a cluster of 200 PlayStation 3 consoles. Further, a malicious user would have to trick a victim into visiting a fake version of the legitimate site that he or she meant to visit. The gory details of the exploit will not be publicly disclosed until the problem has been addressed, according to a report by News.com.

Techniques as complex as DNS poisoning to simple social engineering have proven that traffic can be rerouted to rouge Web sites. There is a potential for real mischief, but today’s browsers have facilities that go beyond SSL to detect phishing attempts. Microsoft’s phishing filter compares domains against black lists (As an aside, the Phishing Filter Web site has an expired SSL certificate).

End users are more secure than they were a few years ago, but I never underestimate the ingenuity of criminals – especially when the incentive is valuable identity and financial information. It would not be inconceivable for a group to develop a grid-enabled application to churn out false SSL certificates.

That said, the research is important work toward securing the Web, and this type of research should remain unrestricted. There is no real security in obscurity, but research should prompt action.

The MD5 algorithm is critically important for e-commerce, yet it is an early 90’s era technology that was not designed for today’s Web, just as DNS was not designed with security in mind. The experts knew the risks.

It is alarming that little was done to harden SSL even while MD5’s weaknesses were understood; papers were published and reported on in the press four years ago. OpenID authentication also relies upon MD5: This vulnerability affects more than just e-commerce.

There must be more coordination to secure the Internet going forward. The industry needs to learn from past mistakes and bake security into the design life cycle of all future Web standards.

 
2 Comments


Read more: e-commerce, Security