Today the United States Computer Emergency Readiness Team (US-CERT) updated their website regarding the potential of rogue SSL certificates being generated.  US-CERT is part of the United States Homeland Security Agency. This alert is based on a report that identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As an Internet standard, MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files. The authors of the report provided a proof of concept by executing a practical attack scenario and successfully creating a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows the authors to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.

The report further explained how the authors’ simulated attack took advantage of a weakness in the MD5 cryptographic hash function that allows the construction of different messages with the same MD5 hash. This is known as an MD5 “collision”. Previous work on MD5 collisions between 2004 and 2007 showed that the use of this hash function in digital signatures can lead to theoretical attack scenarios. Our current work proves that at least one attack scenario can be exploited in practice, thus exposing the security infrastructure of the web to realistic threats.

The US-CERT also issued a “Vulnerability Note“. The impact of this security issue is that an attacker can construct forged data in a variety of forms that will cause software using the MD5 algorithm to incorrectly identify it as trustworthy. Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.

Microsoft addressed concerns by responding to this report.  Microsoft stated “it was not aware of specific attacks against MD5. So previously issued certificates that were signed using MD5 are not affected and do not need to be revoked. ” Microsoft further stated that “most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. Customers should contact their issuing Certificate Authority for guidance.”