First published: 31st December 2008
In 2004 Xiaoyun Wang and Hongbo Yu presented a collision for MD5. Earlier this month at the 25th annual Chaos Communication Congress in Berlin, Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik and Benne de Weger presented their use of the collision to create a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows them to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.
The team used more than 200 PlayStation 3 consoles running in a Linux cluster to generate millions of possible certificates. Once they found a pair that had a special collision in the MD5 hash, they requested a legitimate website certificate from a CA that relies only on MD5 to generate signatures. By copying the signature into a rogue certificate authority credential, they had the ability to generate widely accepted website certificates for any site of their choosing.
The consequences of this flaw are far-reaching, but not entirely catastrophic. A few hundred game consoles are not a ridiculously expensive investment, but criminals could probably access far more computing power cheaply on an illegal botnet. Well-organised criminals could certainly reproduce the result, and start producing their perfect SSL forgeries. However, browser developers can mitigate the flaw with their next update, by either marking certificates that rely on MD5 in their trust chain as unsafe, or by removing the affected CA's from the list of trusted authorities, or both. Users can also modify their CA certificate trust settings themselves, though, realistically, few will do so.