The MD5 algorithm used by many sites, is not reliable
When you visit a Web site whose address begins with "https", a small padlock appears. In theory, this means that the site is secured by an electronic certificate. In practice, all risks are possible. Especially if the certificate uses the MD5 algorithm, which is still used by several authorities of electronic certification.
At a meeting of hackers Chaos Computer Club, which has just ended in Berlin, the results presented Tuesday 30 December leave more room for doubt: this piece of Internet infrastructure is not reliable, and allows hackers create certificates recognized as valid by all browsers.
The news is all the more disturbing ... it is not. This is not the first time, in fact, that the weakness of the cryptographic hash function MD5 is denounced. In 2004, a team of Chinese researchers had reported being able to create with it an attack "collision", by creating two different messages with the same signature.
In 2007, Swiss and Dutch researchers have demonstrated that there was an almost total freedom in the choice of two messages that come into collision. A concept with which these same researchers, who joined an American, are in fact create a false certification authority recognized by reliable Internet browsers.
Their goal? "Encouraging the use of encryption standards safer." Their weapon: a "cluster" (machines used to produce a supercomputer) of more than 200 game consoles available in trade, capable of generating a false Having lost his certificate validity (to prevent any real damage). Means available to hackers. Which could thus, making them bite the hook by "phishing", without their knowledge redirect users to fake banking sites or e-commerce.
Former "Mr. Security" V Mwari Inc. and first signatory of this communication, Alexander Sotirov (New York) was surprised to note that "despite years of warnings, several certification authorities continue to use this algorithm. Out of 30 000 certificates of Web sites, researchers have indeed found almost a third (9 000) employing DM5 in 2008.
"The main browsers and Internet players, such as Mozilla and Microsoft, have been informed of our discovery and some have already responded to better protect their users," reassures Arjen Lenstra, head of cryptographic algorithms laboratory at the Ecole Polytechnique Federal Lausanne. It does not so much as "imperative" that the navigation systems and certification authorities "do not use MD5 and migrate to more robust alternative." As SHA-2, already available, even to his future successor, SHA-3.
I'm the Proud Owner of the most dangerous weapon
known to man kind: Human Brain
Bookmarks