Weakness in Internet security uncoveredDecember 31st, 2008 - 1:10 pm ICT by ANI
Washington, December 31 (ANI): The Internet digital certificate infrastructure has a weakness that may be exploited by attackers to forge certificates that are fully trusted by all commonly used web browsers, say researchers.
This finding emerges from the studies conducted by independent security researchers in California and experts at the Centrum Wiskunde & Informatica (CWI) in the
Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands.
The researchers say that this weakness may make it possible for cyber criminals to impersonate secure websites and email servers and to perform virtually undetectable
phishing attacks, which means that visiting secure websites is not as safe as believed.
Presenting their findings at the 25C3 security congress in Berlin on the December 30, the experts expressed hope that there will be an increase in the adoption of more
secure cryptographic standards on the Internet, which will in turn increase online safety.
While presenting their findings, the researchers said that a small padlock symbol appears in the browser window when a netizen visits a website whose URL starts with
https. They said that that indicates that the website is secured using a digital certificate issued by one of a few trusted Certification Authorities (CAs).
They added that with a view to ensuring the legitimacy of the digital certificate, the browser verifies its signature using standard cryptographic algorithms.
As per their discovery, according to the researchers, one of the algorithms called MD5 could be misused. “The major browsers and Internet players such as Mozilla and Microsoft have been contacted to inform them of our discovery and some have already taken action to
better protect their users,” says Arjen Lenstra, head of EPFL’’s Laboratory for Cryptologic Algorithms.
“To prevent any damage from occurring, the certificate we created had a validity of only one month August 2004 which expired more than four years ago. The only
objective of our research was to stimulate better Internet security with adequate protocols that provide the necessary security,” the researcher adds.
Based on their observations, the researchers came to the conclusion that MD5 could no longer be considered a secure cryptographic algorithm for use in digital signatures
MD5 is presently used by certain certificate authorities to issue digital certificates for a large number of secure websites.
“Theoretically it has been possible to create a rogue CA since the publication of our stronger collision attack in 2007,” says cryptanalyst Marc Stevens (CWI).
“It’’s imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard,” insists Lenstra. (ANI)
- Internet highly vulnerable to phishing attacks - Dec 31, 2008
- Scientists think up way to beat smart hackers - May 02, 2012
- Iranian state backed hackers accused of attacking online security systems to pry on opposition - Mar 25, 2011
- Mathematical theory of elliptic curves may help strengthen IT security - May 12, 2009
- Stamping out rumours, viruses with mathematics - Aug 12, 2012
- Virtual fingerprints can track computer users' movements - May 19, 2010
- Indian IT experts devise technique to fight deadly bots - May 17, 2012
- Mozilla says 'minimal risk' after leaving addons database on public server - Dec 29, 2010
- Scientists crack satellite telephony security code - Feb 09, 2012
- LinkedIn probes theft of 6.5 mn passwords - Jun 06, 2012
- 'Link cyber terrorism to India's overall counter-terror capabilities' - May 16, 2012
- US considers internet identity for its citizens - Jan 10, 2011
- Google to ditch support for older Internet browsers - Jun 07, 2011
- Adult sites use bug to track user's browsing history - Dec 03, 2010
Tags: attackers, certification authorities, cryptographic algorithms, cryptographic standards, cwi, cyber criminals, digital certificate, eindhoven university of technology, email servers, epfl, independent security, internet digital, internet players, internet security, legitimacy, netizen, padlock symbol, security researchers, university of technology, wiskunde