Links

Ben Laurie blathering


More on MD5 Collisions

The attack suggests that examining a suspect cert for a signing algorithm using MD5 and an unexpected field, such as a “Netscape Comment” extension, is a good way to spot the attack (if you are an expert). Funnily enough, it turns out that comments on MD5-signed certificates are actually fairly common – for example, you can see one here: https://es.gnu.org/. I’m not sure what tool makes these certificates (other than it appears to be OpenSSL based) – anyone out there know?

While I’m on the subject, people have opined that I might have been hasty in judging the authors, since they have, apparently, spoken to some subset of the people they should have. OK, perhaps I should not have used the term “0day”, but responsible disclosure means making a reasonable effort to contact the appropriate people. If you were serious about responsible disclosure and you had an attack on SSL wouldn’t you discuss it with the guys who maintain the most widely used SSL software in the world? I think you would. Perhaps I’m missing something?

And on that note, I think we should remove OpenSSL’s ability to sign with MD5. Unfortunately removing MD5 altogether is pretty much out, since that would break SSL and TLS. Refusing to verify with MD5 would be nice, too, but it looks like that would also break a lot of existing certificates, so I suspect if we’re going to do that, we should schedule it for a while in the future. Also, I’m wondering if we should rename the MD5 functions so that everyone using it is forced to do some kind of code review, if only to decide they’ll continue to use the broken algorithm. Any thoughts?

7 Comments

  1. Stop signing with MD5. Continue to verify. People should have stopped signing with MD5 sometime last century, but you want to be able to verify that signature that’s been sitting on optical media since ’95.

    J

    Comment by Jon Callas — 30 Dec 2008 @ 21:28

  2. Paragraph 1: so your attack on the researchers was due to you feeling left out? The vulnerability in its current state affects only one company running a particularly ill designed CA. Not only are they leaking private business information, but their entire service is synchronised on a single integer sitting in a single SQL database on a single server somewhere. This is an attack that affects one sucky CA.

    Paragraph 2: for that reason, this attack isn’t actually all that shocking. At the most it is nothing we shouldn’t already have come to expect, and a shameful display of lax procedures at a particular CA. Per e.g. , the addition of a well though out serial number field largely mitigates this attack, and blanket disabling MD5 support is little but a knee jerk reaction that will likely lead to pain sometime in the future.

    What I’d rather see as a result of this news is a hearty discussion regarding how that sucky CA ended up being a trusted root in every major browser in the first place.

    Comment by David W — 30 Dec 2008 @ 22:34

  3. Insert “http://erratasec.blogspot.com/2008/12/not-all-md5-certs-are-vulnerable.html” after “Per e.g.”

    Comment by David W — 30 Dec 2008 @ 22:35

  4. It’s not that I feel left out. That happens all the time. It’s that I’m working. At 10pm. When I’m on holiday.

    Comment by Ben — 30 Dec 2008 @ 23:08

  5. That looks like the default OpenSSL comment string: [http://www.technoids.org/openssl.cnf.html#S_usr_cert_Section]. It’s not MD5-specific as I use the field on my own SHA-1 certificates (I use OpenSSL to generate my own certificates for stunnel and the like).

    Comment by Thomas — 31 Dec 2008 @ 15:38

  6. I’m one of the researchers who published the MD5 collision attack in question.

    Ben, the main reason to notify vendors before disclosing a vulnerability is to prevent its exploitation by criminals. Since we did not release the code necessary to repeat this attack and we talked to the affected CAs before we went public, I feel that we’ve done all that was required to protect people from malicious attacks.

    What would OpenSSL have done if we had told you about the attack a few weeks ago and why can’t you do it just as easily post-disclosure?

    Alexander Sotirov

    Comment by Alexander Sotirov — 31 Dec 2008 @ 18:44

  7. Maybe you shouldn’t have used 0day? Maybe you shouldn’t have used moron 😉

    Comment by Don B. — 1 Jan 2009 @ 17:56

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress