Here's some news that may not be music to the ears -- information netizens share even through secure websites and email servers are susceptible to hacking.
Here's some news that may not be music to the ears -- information netizens share even through secure websites and email servers are susceptible to hacking.
Internet security researchers have found a weakness in digital infrastructure so that hackers can impersonate secure websites, email servers and perform virtually undetectable phishing attacks.
Independent security researchers in California, Switzerland and Netherlands have found a bug in the Internet digital certificate infrastructure that allows attackers to forge certificates that are fully trusted by all commonly used web browsers.
"The major browsers and Internet players - such as Mozilla and Microsoft - have been contacted to inform them of our discovery and some have already taken action to better protect their users," says Arjen Lenstra, head of EPFL's Laboratory for Cryptologic Algorithms.
The system works in a very simple manner, on a visit to any website whose URL starts with "http", a small padlock symbol appears in the browser window. This indicates that the website is secured using a digital certificate issued by trusted authorities.
To ensure that the digital certificate is legitimate, the browser verifies its signature using standard cryptographic algorithms. The team of researchers has discovered that one of these algorithms, known as MD5, can be misused.
"To prevent any damage, the certificate we created had a validity of only one month August 2004 which expired over four years ago. The only objective of our research was to stimulate better Internet security with adequate protocols that provide the necessary security," he says.
The researchers from California, Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology in the Netherlands have now discovered that it is possible to create a rogue certification authority that is trusted by all major web browsers.
They have thus managed to demonstrate that a critical part of the Internet's infrastructure is not safe. For example, without being aware of it, users could be redirected to malicious sites that appear exactly the same as the trusted banking or e-commerce websites they believe to be visiting. The web browser could then receive a forged certificate and users' passwords and other private data can be stolen.
Besides secure websites and email servers, the weakness also affects other commonly used software.
According to the researchers, their discovery shows that MD5 can no longer be considered a secure cryptographic algorithm for use in digital signatures and certificates.
Currently MD5 is still used by certain authorities to issue digital certificates for a large number of secure websites.
"Theoretically it has been possible to create a rogue CA since the publication of our stronger collision attack in 2007," says cryptanalyst Marc Stevens. "It's imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard," says Lenstra.
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
)
){kind=small}
){kind=small}
)
)
)
)
)
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}