Washington, December 31 (ANI): The Internet digital certificate infrastructure has a weakness that may be exploited by attackers to forge certificates that are fully trusted by all commonly used web browsers, say researchers.
This finding emerges from the studies conducted by independent security researchers in California and experts at the Centrum Wiskunde and Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands.
The researchers say that this weakness may make it possible for cyber criminals to impersonate secure websites and email servers and to perform virtually undetectable phishing attacks, which means that visiting secure websites is not as safe as believed.
Presenting their findings at the 25C3 security congress in Berlin on the December 30, the experts expressed hope that there will be an increase in the adoption of more secure cryptographic standards on the Internet, which will in turn increase online safety.
While presenting their findings, the researchers said that a small padlock symbol appears in the browser window when a netizen visits a website whose URL starts with "https". They said that that indicates that the website is secured using a digital certificate issued by one of a few trusted Certification Authorities (CAs).
They added that with a view to ensuring the legitimacy of the digital certificate, the browser verifies its signature using standard cryptographic algorithms.
As per their discovery, according to the researchers, one of the algorithms called MD5 could be misused."The major browsers and Internet players - such as Mozilla and Microsoft - have been contacted to inform them of our discovery and some have already taken action to better protect their users," says Arjen Lenstra, head of EPFL's Laboratory for Cryptologic Algorithms.
"To prevent any damage from occurring, the certificate we created had a validity of only one month - August 2004 - which expired more than four years ago. The only objective of our research was to stimulate better Internet security with adequate protocols that provide the necessary security," the researcher adds.
Based on their observations, the researchers came to the conclusion that MD5 could no longer be considered a secure cryptographic algorithm for use in digital signatures and certificates.
MD5 is presently used by certain certificate authorities to issue digital certificates for a large number of secure websites.
"Theoretically it has been possible to create a rogue CA since the publication of our stronger collision attack in 2007," says cryptanalyst Marc Stevens (CWI).
"It's imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard," insists Lenstra. (ANI)