Dec 30, 2008 05:40 PM
29,782
Enter your username and password.
Using a cluster of 200 PS3s, an international group of researchers have crafted a "skeleton key" digital certificate that can perfectly impersonate any website on the internet.
The weak point that allows the technique to work—which researchers will be detailing at the 25th Chaos Communication Congress in Berlin—is the MD5 hash algorithm, which, basically, is what's used to create a fingerprint that makes it hard to forge digital certificates. Verisign's RapidSSL still uses the MD5 hash algorithm.
So, where do the crack-friendly PlayStation 3s come in? Well, they have to generate CA certificiate—the certificate that allows them to sign and verify certificates for any other site—and a website certificate that produce the same MD5 hash. A cluster of 200 PS3s were used to figure out where the MD5 hashes of their forged CA certificate and website certificate "collide," allowing them to "crunch out their forgery in about three days."
What's all this mean? David Molnar, a computer science PhD candidate, Threat Level talked to, explains it best: ""We can impersonate Amazon.com and you won't notice...The padlock will be there and everything will look like it's a perfectly ordinary certificate." Thankfully, the hack is hard, but the solution is pretty easy—just switch to a more secure hash, which many companies have done. Verisign is currently in the process of phasing out the MD5 hash. [Threat Level]
Send an email to matt buchanan, the author of this post, at matt@gizmodo.com.
Original material is licensed under a Creative Commons License permitting non-commercial sharing with attribution.
Start a new discussion