Ben Laurie blathering

Morons Release Beautiful Attack

I’m in two minds whether to even talk about this, but I guess it’ll be all over the ‘net soon.

A rather lovely attack on X.509 certificates exploiting the weakness of MD5 was released today. Read the (very well written) paper for all the gory details, but the short version is you construct a pair of certificates with colliding MD5 hashes. One of these you send off to get signed, and the other you carefully arrange to have the “CA” bit set. This means the second certificate can now be used to sign any other certificate: in effect you have become a CA, using what is known as a chained CA certificate.

So why are they morons? Because they chose to 0day this attack. Why? Users could have been protected from this exploit quite easily – only browsers and CAs had to be notified, which is easily achievable without premature public disclosure. I have no idea why they chose not to do this, but they’ve certainly destroyed any trust I had in them – which is a shame, at least some of them were people I respected.

Ironically, their attack is rendered somewhat pointless right now, as it has been recently shown that Comodo will issue a certificate for any website to anyone at all, without verification.


  1. Ben — what about this paragraph? They claim to be omitting the key details of the attack that render it feasible — :

    ‘The rest of this document will explain our work and its implications in a fair amount of detail. In the interest of protecting the Internet against malicious attacks using our technique, we have omitted the critical details of our sophisticated and highly optimized method for computing MD5 collisions. A scientific paper about our method is in preparation and will be released after a few months, so that the affected Certification Authorities have had some time to remedy this vulnerability.’

    They expand on that later —

    ‘We do not want to help persons with criminal intent. Therefore we will for the time being not release the full details of how we have been able to obtain the rogue Certification Authority certificate. It should however be noted that the basic principles of constructing “chosen-prefix collisions” for MD5 were published already in May 2007, see [SLW], and the “Chosen-prefix collisions” website. To make our present results possible these publicly known techniques have been improved at crucial points. These improvements will be published in a forthcoming academic paper. Apart from that, somebody who wants to redo our work has to do considerable implementation and optimization efforts. For the time being we do not plan to release such implementation details.’

    Comment by Justin Mason — 30 Dec 2008 @ 17:21

  2. Also, they say they did tell Microsoft and Mozilla.

    I think Ben just wishes they’d told Google and OpenSSL too.

    Comment by Nick Mathewson — 30 Dec 2008 @ 17:48

  3. I watched a streaming video of their presentation earlier today. They indicated several times that vendors had been given prior notice and that, amongst other things, Mozilla and Microsoft were both required to sign NDAs in order to prevent accidental premature disclosure and that all CAs still issuing RSA/MD5 certificates had been notified and agreed to stop using MD5 already.

    The theory for this attack has been around for a long time. I see that the bar not been lowered at all by their disclosure for any but the least competent adversary. Could you elaborate on the dangers that their disclosure now brings?

    Importantly, they have refused to disclose the private key for their CA cert.

    Comment by Toby — 30 Dec 2008 @ 19:01

  4. I don’t get what your beef is. They’ve reconstructed a pointless attack that will cripple teh Interwebs! I mean everyone is efermally affected by it! You come out so harsh. Just because they re-hashed old exploits into a new and uberly stupid improved “0-day” attack, doesn’t mean they’re not geniuses. Right now I’m working on rehashing an oldie but goodie. TCP spoofing! Stay tooned

    Comment by ARG — 30 Dec 2008 @ 19:09

  5. Justin – that sounds like “clearly the ‘bad guys’ aren’t going to be smart/fast about developing a useful exploit” to me… and that’s clearly a terrible assumption to make.

    Comment by Cat — 30 Dec 2008 @ 19:15

  6. It appears that your accusation that they are morons boils down to this: “Users could have been protected from this exploit quite easily – only browsers and CAs had to be notified, which is easily achievable without premature public disclosure.” But according to (second-hand reports of) the researchers’ talk, they did notify the browser vendors and CAs. If that is the case, does that make them not morons? If that turns out to be the case, maybe you should be more careful in the future about calling people names in public before getting your facts straight.

    Comment by Kragen Javier Sitaker — 30 Dec 2008 @ 20:23

  7. […] LinksThe Rest I Just Squandered « Morons Release Beautiful Attack […]

    Pingback by Links » More on MD5 Collisions — 30 Dec 2008 @ 21:14

  8. These researchers have been warning about such md5 collisions for years. In 2006 they published X.509 certificates in different names with identical md5 hashes to get a wider audience for the md5-collision attacks that were found a year earlier. The paper (which was widely quoted at the time) should still be at In 2007 they published signed PDF documents predicting the outcome of the US-presidential elections ( – people laughed a bit and mostly ignored it. Stevens, De Weger and Lenstra have been telling everybody who would listen that people should stop using md5-signed X.509 certificates and documents; but didn’t find much of an audience outside the academic world.

    I must say that I didn’t think of the specific application they published now either. But the basic md5-collission isn’t surprising. You should realise that these are academics (mathematicians), trying to persuade the computer community to stop using md5 for these kind of applications – not software hackers who are out to break systems. Yes, their approach was too rash, but it seems that finally they managed to get people to stop and listen.

    Comment by johans — 30 Dec 2008 @ 23:11

  9. Great attack, but I feel that the CA not taking the precaution of introducing sufficient element of randomness in what it signs is also a significant factor.

    Even if they only introduced a 32bit random, it would have helped.

    Comment by Charles Darke — 30 Dec 2008 @ 23:40

  10. Charles — yep, that part is another good example of the autoincrement considered harmful antipattern.

    Comment by Justin Mason — 31 Dec 2008 @ 12:00

  11. […] [2] [3] […]

    Pingback by Infiltrated’s Security Predictions for 2009 | We Break Things — 31 Dec 2008 @ 18:37

  12. > Ironically, their attack is rendered somewhat pointless right now..

    Not really. The md5-based attack allows a man-in-the-middle to attack *all* ssl sessions flowing their proxy, a bogus certificate attack only allows the attacker to spoof all sessions involving the site for which they’ve spoofed a certificate.

    Comment by Richard Threadgill — 31 Dec 2008 @ 22:00

  13. […] z³amaæ klucz takiego urzêdu. Istnieje te¿ inne Jakby niedawno okaza³o siê, ¿e nie musia³by. — Dariusz Sznajder […]

    Pingback by Certyfikat klucza publicznego | hilpers — 18 Jan 2009 @ 16:33

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress