Digital Certificate Flaw Leads to Unrecognizable Phishing Attacks

Security experts attending the 25C3 Security Congress at Berlin have detected a basic flaw in online digital certificates that enable attackers to create forged certificates that popular web browsers would fully trust.

The researchers representing universities in the Netherlands and Switzerland warned that such vulnerabilities make it feasible to mimic secure e-mail servers and websites to carry out virtually unrecognizable phishing assaults.

When users access secure websites having URL starting with 'https', a tiny padlock icon shows that the site is secured. This is done with an assigned digital certificate that any of the trusted CAs (Certification Authorities) issues.

Moreover, the browser ensures the legitimacy of the digital certificate by confirming its signature with the help of basic cryptographic algorithms. But the researchers have discovered that a particular algorithm, called MD5, could be abused.

This weakness allows users to be diverted to malicious websites that closely resemble e-commerce or banking sites that users believe they are visiting. Also, the browser can get a fake certificate but erroneously trusted, leading to the fall of users' passwords along with other personal data into wrong hands.

Meanwhile, to find the flaw, the researchers launched a sophisticated 'collision attack' as well as used over 200 commercially obtainable game consoles.

According to Head of Switzerland-based EPFL Laboratory for Cryptologic Algorithms, Arjen Lenstra, popular browsers like Mozilla and Internet players like Microsoft have been informed about their discovery and a few of them have already done the needful to improve their users' protection, as reported by TechRadar on December 30, 2008.

Security specialists further said that it is frightening that hardly anything has been done to toughen SSL even though MD5's flaw was understood. According to them, there should be more balanced and secure approach needs to be implemented to take the Internet forward, with the industry requiring to master over past mistakes as well as design life cycles to all forthcoming Web standards.

Furthermore, security experts claimed that the issue is not new. In 2004, researchers spotted a vulnerability in the MD5 signature algorithm with which hackers could replicate a single digital signature for two separate messages.

Related article: Digital Criminals Hone Their Phishing Skills

» SPAMfighter News - 1/6/2009