Top Tech News
CIO Today Network Sites:   Top Tech News  |   CIO Today   |   Mobile Tech Today   |   Data Storage Today
News & Product Reviews for Tech Leaders
Tuesday, February 9th 
Home
Network Security
Microsoft/Windows
Linux/Open Source
Apple/Macintosh
Wireless Tech
World Wide Web
Tech Trends
Data Storage
Software
Hardware
Communications
Spam & Hackers
Chips & Processors
E-Business
Personal Tech
 

Advertisement
Data Security

Researchers Show 'Secure' Sites May Not Be Safe

Researchers Show By Barry Levine
December 30, 2008 11:18AM

Bookmark and Share
U.S. and European researchers have demonstrated that digital certificates using the MD5 algorithm can be faked. While some https sites are moving away from MD5, virtually all browsers still accept those "secure" certificates. The researchers used a cluster of Sony PlayStation 3s to create certificates in three days instead of an estimated 30 years.


The small image of a padlock in the corner of your browser may not accurately indicate that a Web-site connection is secure Relevant Products/Services, according to new research. A team of U.S. and European researchers used a computing Relevant Products/Services grid of more than 200 Sony PlayStation 3 video-game machines to create fake certificates and fool a browser into thinking it had a secure connection with a trusted site.

A EU Collision Attack

Researchers from California, teams from the Centrum Wiskunde & Informatica (CWI) and Eindhoven University of Technology in the Netherlands, and teams from the Ecole Polytechnique Federal de Lausanne (EPFL) in Switzerland presented a paper Tuesday at the 25C3 security congress in Berlin. They showed that they were able to generate two messages with one digital signature, similar to the process of an older digital-certificate system Relevant Products/Services, using an algorithm called MD5.

A user who visits a Web site whose URL begins with https usually sees a locked padlock in a browser corner, indicating that the site employs a digital certificate issued by one of several trusted certificate authorities. The browser verifies the certificate, using one of several algorithms, including, for some sites, MD5.

The MD5 digital-certificate system is still in use by many sites, and could enable third parties to create fake certificates and fool a browser into thinking it was visiting a secure site. A more modern and secure digital-certificate system is used by many sites.

The vulnerability was first identified four years ago by Chinese researchers, who had created a collision attack by generating two different messages with the same digital signature. But the amount of computing power Relevant Products/Services needed to generate a fake certificate was considered a huge obstacle to anyone attempting to take advantage. By one estimation at the time, a desktop Relevant Products/Services computer would need more than 30 years to generate such a fake certificate.

But the paper presented in Berlin demonstrated that the researchers, using PS3s in a cluster, were able to generate two fake certificates with the same digital signature in only three days.

Ending the Use of MD5

Security experts had mixed responses. Bruce Schneier, chief security technology officer for British Telecom, told The New York Times that most people don't rely on digital certificates. When was the last time you checked your browser certificates to make sure they're good, he asked.

But other security researchers have suggested that the research could have an enormous impact, affecting virtually every browser as well as e-mail, chat servers, and online collaboration Relevant Products/Services. Although only some sites use the older digital certificates, all browsers will accept them.

Using this weakness, for instance, it would be possible to set up virtually undetectable phishing sites that a browser identifies as trusted and secure.

Arjen Lensa, head of EPFL's Laboratory for Cryptologic Algorithms, said the major browser makers, such as Mozilla and Microsoft Relevant Products/Services, have been informed of the vulnerability.

The immediate goal of the research is to end the use of the MD5 algorithm, which is still being used by some certificate authorities. CWI cryptanalyst Marc Stevens said it's imperative to migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard.

Advertisement

Also Visit:


 Data Security
1. China Busted Hacker-Training Site
2. FBI Tackles Haiti-Relief Scams
3. Patch Tuesday Will Tie MS Record
4. Google Apps Controls Mobile Devices
5. Torrent Traps Used To Harvest Logins


advertisement


 Most Popular Articles
1. iPhone Loses Global Market Share as Rivals Advance
2. Lessons To Learn from a Year of Big Data Breaches
3. New Sony Ericsson Aspen Handset Uses Windows Mobile
4. Apple Bans Location-Based Ads for iPhone Apps
5. EPIC Objects To Google-NSA Cyber Partnership

Have an informed opinion on this story?
Send a Letter to the Editor.
We want to know what you think.
Send us your Feedback.

 Related Topics  Latest News & Special Reports
Digital Certificate
Algorithm
Https
Sony
PlayStation 3

  Macworld Focuses on Mobile Apps
  MS: Windows 7 Doesn't Hurt Battery
  Macmillan Books Return To Amazon
  Tips for More Windows 7 Productivity
  Nexus One 'Support' Passes the Buck

 Technology Marketplace
Compliance
Stand out from other IS Professionals and increase your earning potential.®).
 
Enterprise Hardware
Now is the best time to buy a new APC Smart-UPS!
HP ProLiant G6 Servers: Perform like a superstar, Save like an accountant www.hp.com
 
Enterprise I.T.
Learn how Microsoft server upgrades can create efficiencies
Stand out from other IS Professionals and increase your earning potential.®).
 
Hardware
Find out why now is the best time to buy a new APC Smart-UPS!
 
Microsoft/Windows
Read about how to add efficiencies with Microsoft Virtualization.
 
Network Security
AT&T Synaptic Compute as a Service. Boost your power on demand.
 
Mobile Enterprise Spotlight

To Love or Not To Love: Apple iPad Pros and Cons
Now that the iPad has officially been announced, opinions are rolling in on this device that combines the features of an iPod, e-reader, and tablet PC. Will the iPad turn fewer heads than the iPhone?
Analysts See iPad Price Drop, with Some Cannibalization
Just weeks before Apple officially rolls out the iPad, financial analysts are making pricing predictions. But could the analysis itself hinder the initial demand for the pricey tablet computer?
Bar Codes Go Mobile, Get Hip Again
For decades, retailers have used patterns of black dots and lines to encode data onto products. Now, bar codes are gaining favor as an easy way for cell-phone users to view ads and other data instantly.

 Advertisement
Enterprise Software Spotlight

Google May Add Facebook, Twitter Links to Gmail
Google will reportedly roll more social-networking features into Gmail, the fastest-growing e-mail service. The new features could save users the trouble of switching to Facebook or Twitter.
SAP CEO Abruptly Resigns; Co-CEOs Will Take Over
Business-software maker SAP announced an abrupt strategic shift in the corporate suite with CEO Léo Apotheker resigning, to be replaced by co-CEOs Bill McDermott (left) and Jim Hagemann Snabe (right).
Cybersecurity Vendors Look Hot in 2010
Tech-security companies are poised to become Wall Street darlings this year, thanks in part to Google's tiff with China, which reinforced an already positive outlook for major security vendors.

 Advertisement
Enterprise Hardware Spotlight

Microsoft Says Battery Woes Not Caused By Windows 7
Battery problems on Windows 7 machines are not caused by the operating system. That's the position of Stephen Sinofsky, head of the Windows division, in a long posting on the Windows engineering blog.
IBM's New POWER7 Servers Save Energy with Big Loads
IBM has unveiled high-capacity servers that are the first to be based on its new, multi-core POWER7 chip. It said the new line is designed "to manage the most demanding emerging applications."
'Dead Simple, Dirt Cheap' JooJoo Tablet Shipping Soon
The JooJoo, a web-browsing tablet device that is the subject of a high-profile legal dispute, appears on track to reach buyers at the end of February, but the tablet scene has dramatically changed.

 Advertisement
Enterprise Security Spotlight

Chinese Cyberattacks Seen as a Pervasive Threat
Google's accusation that e-mail accounts were hacked from China landed like a bombshell because it cast light on a problem few firms will discuss: the pervasive threat from China-based cyberattacks.
Patch Tuesday Release Will Tie Microsoft's Record
After a light start to the year, Microsoft is getting ready to dump a heavy load on the shoulders of IT administrators. On Patch Tuesday next week, Microsoft will release 13 patches.
Cybersecurity Vendors Look Hot in 2010
Tech-security companies are poised to become Wall Street darlings this year, thanks in part to Google's tiff with China, which reinforced an already positive outlook for major security vendors.

 Advertisement
Navigation
Top Tech News
Home/Top News | Network Security | Microsoft/Windows | Linux/Open Source | Apple/Macintosh | Wireless Tech | World Wide Web
Tech Trends | Data Storage | Software | Hardware | Communications | Spam & Hackers | Chips & Processors
E-Business | Personal Tech
Also visit these Enterprise Technology Sites
Top Tech News | CIO Today | Mobile Tech Today | Data Storage Today

Services:
FreeNewsFeed | Free Newsletters | Free Whitepapers | XML/RSS Feed

About CIO Today Network | How To Contact Us | Article Reprints | Services for PR Pros (In partnership with NewsFactor) | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2010 Top Tech News. All rights reserved. Article rating technology by Blogowogo.