Rogue CA Certificates

So much for a relaxed end to the year. This morning, at the Chaos Communication Congress, security researchers created a rogue CA certificate which is trusted by all major browsers by default. This means, that in effect, they have become a virtual CA and any can certify any website with a certificate signed with their rogue certificate and pass the inspection by the browser. Malicious sites could impersonate legitimate mail providers or banking sites during a Man in the middle attack and completely deceive the user.

The attack targets CAs that continue to sign their certificates using the MD5 hash algorithm. It relies on generating a "collision" between the certificate that is originally requested from the CA, and a duplicate, rogue certificate generated by the attacker. It is also, at the moment, only possible in case the CA generates certificates using predictable serial numbers.

The danger here is that since browsers implicitly trust the certificates that are signed by trusted roots, there is no mitigation possible on the client end and one has to rely on CAs to upgrade their infrastructure.

The surprising fact is that CAs are still using MD5 - 3 years after the first attacks and collisions surfaced. Let's hope that when they upgrade their infrastructure, CAs don't just move to SHA-1 which is also rumoured to be susceptible to collision attacks, but to stronger algorithms like SHA-2 or Whirlpool. Oh, and that they start randomizing the serial numbers for the certificates as well.

More details about the attack can be found here.