Attacking MD5 to create a rogue CA that is trusted by most modern browsers is a very cool attack. I have to admit that whenever I read about a practical cryptanalysis attack I feel a bit inferior: probably what a desk officer at the Pentagon feels when they meet a Marines soldier coming back from Iraq. It’s like I’m not a “real” security researcher – I only play with SQL injections and Cross Site Scripting when the real soldiers are in the field breaking algorithms.
I can’t remember many times when our team was impressed as much as they were when Zvi Gutterman gave us a talk about breaking the Linux kernel PRNG. That week, everybody stopped looking for buffer overflows and started reading Donald Knuth instead.
But inferiority complex aside, this hole won’t have much impact. SSL certificates are a great idea, that just doesn’t work. When SSL Certificates started, you only got one after the CA verified your identity. This involved sending them a bunch of documents to prove the company’s identity, and them giving you a surprise phone call to see if the information on the web site really matches the submission you gave them, and perhaps other subtle tests. It took a while to get a certificate and so having one meant “you” could be trusted.
But today, it’s hard to say who “you” are. Companies have many web sites for many different purposes, and it’s very difficult to deny them a certificate based on some logic. But it gets worse: SSL Certificates are so abused, that users don’t really care about them. I had two different banks show me certificates that generated browsers errors. Some valid google URLs still produce SSL warnings. This is apparantly so common firefox had to put a scary warning message on top of their regular, already scary, warning message.
So broken SSL certificates are ignored, and valid SSL certificate mean very little – until Firefox 3.0, you had to click on the little lock on the lower right corner to know who the company is behind the certificate. Now that you know – does that mean anything? Is the Banc of America the same as the Bank of America? Pretty much, yes. So what about the band of america? They can apply for a valid SSL certificate and it will match the organiations name nicely.
SSL Certificates are long broken, and not because of a clever attack. However, the fact that there is an effective crypto attack against them may help bury this cadaver and perhaps help bring another solution to the surface.