back to article Boffins bust web authentication with game consoles

Researchers have uncovered a weakness in the internet's digital certificate system that allows them to forge counterfeit credentials needed to impersonate virtually any website that relies on the widely used security measure. Armed with more than 200 PlayStation 3 game consoles, the researchers are able to create a secure …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Paris Hilton

    w00t

    I guess a firefox patch adding an option to reject the weak certificates might be a fun thing..

  2. Matt
    Joke

    title...

    oh, yeas.. the PS3 is the worst of the consoles then?? :p

    Id like to see a wii cluster do that!!! or see how many Xbox360's would still be running after being left on longenough to do that!!

  3. Andy Worth

    Re:title...

    Oooh that'll inflame the console fanboi's. Although admittedly you do wonder why they would use a PS3 and not a 360 given the difference in the prices.

    Still, I can think of more interesting things to do with 200 PS3's.....

  4. Tony Hoyle

    Well...

    A cluster of PCs using modern graphics cards could come close (maybe even be faster, depending on the algorithm I guess).

    Given that it's now been proven that these authorities can be faked relatively easily (the price of 200 PS3s is nothing compared to the potential gains from fraud) then the authorities using MD5 certificates should be immediately deleted from the list valid authorities in all browsers. That's the simplest patch - in fact the user could do it themselves if el reg had had the guts to print the names.

  5. Anonymous Coward
    Anonymous Coward

    ps3

    ps3!

    you just have to love the hardware in that thing!

  6. Bronek Kozicki
    Go

    this one is big

    While collisions in MD5 are not exactly news, its practical application to break PKI is big news. And it can be repeated, as 200 game consoles is not that big expense. I really do hope that root certificates of those CA still using MD5 will be promptly removed from all the leading browsers.

  7. Anonymous Coward
    Alert

    er....

    Er..... All the games companies should be worried about this.

    Surely if the clustered PS3 environment is able to crack ssl certs then possibly if they turned it on the AES encryption on the files contained on the Wii/Xbox360/PS3 games they would be able to sign, and subsequently boot, whatever they liked......

  8. Ian Ferguson
    Happy

    Handy for hackers

    An ideal con for those naughty hackers with 300 PS3s lying around the house doing nothing.

  9. Christopher Rogers
    Boffin

    @Matt

    So the Ps3 is a good computer. This however does not prove the gameplay.

  10. William Andrews
    Thumb Up

    LOL

    "oh, yeas.. the PS3 is the worst of the consoles then?? :p

    Id like to see a wii cluster do that!!! or see how many Xbox360's would still be running after being left on longenough to do that!!"

    Right on, I think you could try for the world record of RROD's within a 50ft vicinity!

    No console can compete with the PS3, technologically speaking

  11. Anonymous Coward
    Alert

    Outcome

    I expect that Mozilla will take one of two actions - either remove the trust bits from the affected CA's, or disable support for SSL certificates that use the MD5 algorithm. In either case it will likely be done by the next minor Firefox update.

  12. Anonymous Coward
    Flame

    At last...

    ...someone finally found a decent use for the junk that is the PS3

  13. Bronek Kozicki
    Flame

    console fanboys, sigh

    It is not relevant which tool they used to break PKI. What matters is that SSL is no longer secure, as long as there are "bad" root certificates in your browser. We already know about DNS poisoning, SSL was the last defence.

  14. Dave

    Certificate Authorities still using MD5?

    Has anyone got a list of who they are? In the absence of a browser fix, I can at least refuse to accept anything signed by these people.

  15. Anonymous Coward
    Joke

    XBox 360 failure

    Originally they set out to use the XBox 360 but changed their mind after the first week as the turnaround for repairing the RRoD was far too long. Plus they got fed up with the damn thing scratching their discs!

  16. Anonymous Coward
    Anonymous Coward

    @Dave

    I don't think the list has been published, but if you view the certificate details you can see what the certificate signature algorithm is. I checked a couple of certs ... one provided by "Equifax Secure Global eBusiness CA-1" (issued by RapidSSL) was MD5 signed, one provided by "Verisign Class 3 Secure Server CA" was SHA-1.

    Mind you, that's a sample of 2 certs ... I'm not implying anything at all about Equifax or Verisign as a whole!!!

  17. Anonymous Coward
    Alert

    More info here

    More details here http://www.win.tue.nl/hashclash/rogue-ca/ - even lists some MD5 only CAs. Why though am I not surprised that Equifax (RapidSSL) are at the top of the list with 97% of certs found being issued by them - buy cheap - get cheap.

    The others are surprising though, I suspect legacy reasons.

    An easy kill for Rapid SSL cert on my machine.

  18. Henry

    CAs using MD5

    Actually, the list of CAs still using some MD5-signed certificates is easily found in the pdf of the talk on the CCC website: RapidSSL (who issued 97% of the MD5-using certificates the team found), FreeSSL, TrustCenter, RSA Data Security, Thawte, verisign.co.jp

    http://events.ccc.de/congress/2008/Fahrplan/attachments/1251_md5-collisions-1.0.pdf

  19. Anonymous Coward
    Anonymous Coward

    Equifax

    I don't think it's much of a shock that some certificates approved by Equifax might be worthless - who do you think signed off on the credit approval for all those mortgages that went south?

  20. Anonymous Coward
    Anonymous Coward

    @Dave

    Here's some more on the situation - comment #7 mentions a few names.

    https://blog.startcom.org/?p=145

    I didn't know how to do this in FF, so if others need to know:

    Tools > Encryption > View Certificates > Authorities

    Then edit the trust settings of each authority or simply delete them.

  21. James Pickett

    Big bang

    "A cluster of PCs using modern graphics cards could come close"

    And would cost..? The PS3 appears to provide more raw number-crunching bang for your buck than anything currently available, which is probably why each one loses Sony money (who must be a tad worried that so many are ending up in the hands of non-gamers!)

  22. Paul
    Happy

    Check for a insecure algorithm

    Networking4all created a tool to check if a certificate in the chain has been signed with a insecure algorithm

    Example:

    https://www.networking4all.com/en/support/tools/site+check/?fqdn=www.verisign.com

    You can check all sites on:

    https://www.networking4all.com/en/support/tools/site+check/

  23. Anonymous Coward
    Anonymous Coward

    Appointed organizations....

    "certificate authorities, which are appointed organizations that validate the authenticity of websites used for banking and other sensitive online activities"

    Appointed? by whom? Trusted maybe - but nobody appointed Verisign et al. The majority of Certificate Authorities are only such ("authorities") because we accept their self-signed certificates (Or Microsoft and other browser producers accept them on our behalf). Not that their self-appointed status makes any difference to the fact that MD5 has been broken for several years and that even the much maligned Vista has changed all the MD5 options in its firewall settings to "not recommended". So it is rather alarming if MD5 signed certificates are being issued by any major CA or automatically treated as trusted by any browser or OS.

  24. Anonymous Coward
    Alert

    Correction

    They did certainly name the insecure CAs:

    • We collected 30,000 website certificates

    ○ 9,000 of them were signed with MD5

    ○ 97% of those were issued by RapidSSL

    • CAs still using MD5 in 2008:

    ○ RapidSSL

    ○ FreeSSL

    ○ TrustCenter

    ○ RSA Data Security

    ○ Thawte

    ○ verisign.co.jp

    So anything touched by RapidSSL is out, then. Shame. Buhbye, RabidSSL, you will not be missed.

  25. BioTube

    ATTN: Console fanbois

    The Wii, 360 and PS3 ALL use IBM chips. The Wii uses a PPC, the 360 a conventional POWER multicore and the PS3 the Cell POWER. In all odds, they were looking for floating-point performance, in which case only the Cell chip would do(hell, that chip was created just for FLOPs).

    Anyway, stop complaining. The real winner in this round of the console wars is Big Blue.

  26. Chris Hills
    Alert

    The list

    The list of affected CAs can be found at http://www.win.tue.nl/hashclash/rogue-ca/ in section 5.1, reproduced here for convenience:-

    RapidSSL

    C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1

    FreeSSL (free trial certificates offered by RapidSSL)

    C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications

    TC TrustCenter AG

    C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/emailAddress=certificate@trustcenter.de

    RSA Data Security

    C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority

    Thawte

    C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

    verisign.co.jp

    O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

  27. Dazed and Confused

    The bad boys won't need PS3

    When you've got a botnet of tens of thousands of dumb windoze boxes at your disposal you won't need to buy loads of consoles.

  28. Rob Beard
    Thumb Up

    PS3 sales

    Ahh so that's who keeps buying the PS3 then. All Sony need now are a shed load more boffins to buy some more PS3s and they might finally catch up with Nintendo.

    Rob

  29. Anonymous Coward
    Anonymous Coward

    Look at the Certificate Signing Algorithm in the Trusted Root Certificate list in a browser

    Just open up the Trusted Root Certificate List in your browser (firefox of course 8-) and look at the Certificate Signing Algorithm and if it says "PKCS #1 MD5 With RSA Encryption" instead of "PKCS #1 SHA-1 With RSA Encryption" (or SHA-2) then you can Edit the properties and turn off the trust settings or delete the whole CA root certificate. That should keep you safe for the time being 8-)

    Yes it does look like the Equifax CA-1 root certs are signed with MD5.

    Some of the Verisign certs are signed with MD2 .. these look like older CAs.

  30. Steve

    @Equifax

    "I don't think it's much of a shock that some certificates approved by Equifax might be worthless - who do you think signed off on the credit approval for all those mortgages that went south?"

    Think the point is using a "Gold Plated" CA for your own certs does not give you any additional protection against this attack. Its the client that needs updating,

  31. Anonymous Coward
    Alert

    @@Dave

    >"Here's some more on the situation - comment #7 mentions a few names."

    No, that's a different problem altogether. In that case, the CA was issuing certificates without checking who they were issuing to was actually the owner of the domain they were issuing a certificate for. Nothing was forged, there was no crypto break involved and the bogus cert could have used any hash algorithm, not just md5.

  32. Destroy All Monsters Silver badge
    Boffin

    Interesting...

    What are people commenting on here? Apart from the usual PS3 fanboy eruptions, we have claims that SSL is broken and verbal attacks against this or that certification authority. WTF?

    Ok, let's make things precise:

    - SSL/TLS is NOT broken. It is not even involved.If you don't use certificates, no problem

    - Certification of public keys, however is holed below the waterline:

    -- you find a pair (public key 1, distinguished name 1 , certificate authority = true) and (public key 2, distinguished name 2, certificate authority = false) which hashes to the same MD5 value. This has been done using lots of processors which happen to be PS3 Cell chips. So who cares.

    -- you find a certification authority which still uses MD5 as hashing algorithm, i.e. which still has

    "default_md = md5" in its openssl.cnf file in spite of CAN-2005-2946.

    -- you submit (public key 2, distinguished name 2, certificate authority = false) to your slowpoke certification authority for signature.

    -- you set up a webserver for bank0famerica.com, apparently signed by slowpoke certification authority by making good use of (public key 1, distinguished name 1 , certificate authority = true) in the certification chain

    -- profit!

    Signature algorithms can be found listed for example here:

    http://bouncycastle.gva.es/www.bouncycastle.org/docs/docs1.4/org/bouncycastle/jce/provider/JDKDigestSignature.MD5WithRSAEncryption.html

  33. Graham Lockley
    Joke

    Amusing

    So we finally find out that 90% of PS3 sales are to hackers :~)

    Dont flame me, I dont even own a console !

  34. Anonymous Coward
    Stop

    Sony factory

    Identified as a major bot-net hideout!

  35. Bronek Kozicki

    @Destroy All Monsters

    "SSL/TLS is NOT broken" - indirectly it is. Or I think so, as I always assumed that SSL is based on PKI and supports certificate chains. If so, how user (directed to malicious host through other means, like poisoned DNS owned by an ISP) can know whether he is connected to "right" or "wrong" address, given that certificate chain in both cases will be valid and start with trusted root CA?

  36. Arthur Silver badge
    Alert

    Insecure certs don't match list

    The insecure certificates in my Firefox (3.0.5/Windows) do not match the list in http://www.win.tue.nl/hashclash/rogue-ca/. Some they say use MD5 use SHA-1 in my FF, others they don't mention do use MD5. Check the lot if you're as paranoid as I am.

  37. Anonymous Coward
    Anonymous Coward

    @ Christopher Rogers

    or the reliability.

  38. Anonymous Coward
    Thumb Up

    PS clustering

    Yeah this would be very easy to do on a PS3 - heck you install linux on it and still have it boot back to it's original os simple enough and well I've seen the sort of crunch power a mere 8 of these can do, it's the fact it is indeed as previously stated CELL powered, anything remotely needing poweful FP computation gets eaten alive by this console...

    I'd love to see a PC with a CPU / GPU combo that could out perform the PS3 for the same cost...

    But I mean there was a whole project much like SETI to show how weak the MD5 system was it took a while but it was done and dusted but this was using pc's running at < 2Ghz...

  39. Daniel B.
    Boffin

    PS3's

    Hm... now I am more inclined on learning to use the Cell's SPEs. Basically that's the reason I installed Linux on my PS3.

    The funny thing is that this news was given to me by a friend saying "OMGWTFBBQ! SSL 0WNED!" when in fact only the md5 certs were "cracked". But then again, the site reporting the news put "SSL CRACKED BY 200 PS3'S" as the headline.

  40. Bruno Girin
    Go

    Vote for it to be addressed in your favourite browser

    Here: https://bugzilla.mozilla.org/show_bug.cgi?id=471539

This topic is closed for new posts.

Other stories you might like