200 PS3s Break VeriSign's SSL
Now more than ever, shopping over the internet is second nature for many in first world countries. From Amazon to buy.com to eBay, millions of dollars are transferred electronically every day between buyer and seller.
With such massive amounts of consumer activity online, technology like VeriSign's Secure Socket Layer (SSL), help keep honest shoppers safe from the perils of phishing attacks and fraud. With SSL software, and a little bit of internet savvy, one can keep themselves and their bank accounts safe from fraudulent websites.
That was, up until today. While I wouldn't go sounding the doomsday alarms just yet, an international team of internet security experts managed to hack SSL.
The actual feat was the breaking of one of the MD5 algorithms used in issuing security certificates for websites. Security certificates are used to confirm that a website is legitimate and not an attempt to mislead the visitor. Once the team broke though the algorithm, they were able to hack into the RapidSSL.com website. After this, the team was able to produce false security certificates that had identical MD5 hash values as legitimate certificates.
According to the report, "the team that did the research work included independent researchers Jacob Appelbaum and Alexander Sotirov, as well as computer scientists from the Centrum Wiskunde&Informatica, the Ecole Polytechnique Federale de Lausanne, the Eindhoven University of Technology and the University of California, Berkeley." As of the original story, the team was set to show off their accomplishments at the Chaos Communication Congress in Berlin.
While the findings are certainly a feat, and a frightening one at that, the team responsible along with companies like Microsoft have downplayed the vulnerability. "This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information," said Microsoft. So, assuming the detrimental information stays out of the wrong hands, we are all safe.
Despite downplaying the severity of the hack, one team member made a point of saying internet security needs to change. "It's a wake-up call for anyone still using MD5," said David Molnar, a team member and Berkeley graduate student. Tim Callan, VeriSign's vice president of product marketing, said RapidSSL.com will stop issuing MD5-based digital certificates by the end of January and is atempting to get its customers onto newer security products.
- Networking,
- Gaming,
- Sony ,
- PlayStation ,
- PS3 ,
- VeriSign ,
- SSL
- Flash Memory Fears for 2009
- G.Skill Unveils 'Perfect Storm' Memory
- Lenovo Expected to Lay Off Staff Mid-January
- Microsoft Says WMP Vulnerability Not Harmful
- WSJ: PS3 Stuck Behind Xbox 360
- LG Claims Thinnest LCD Panel Ever
- Couple Jailed Over Nintendo Wii
- The Zunepocalypse Cometh: 30GB Zunes Freezing En Masse
- Viacom to Pull Plug on Spongebob, MTV at Midnight
- Steve Jobs Not Dying; Has Hormone Imbalance
- Adobe Flash Coming to Blu-Ray
- Lenovo's New All-In-One Desktop, IdeaPad Laptops
- $199 Netbooks Without Intel Inside
- Apple Unveils 17" MacBook Pro
- MSI Launches new Lightweight, Super Thin X-Slim X320 Notebook - Challenges MacBook Air.
- Logitech Reveals Harmony 1100 Remote – RF Capability Added.
- Apple Drops DRM: the Expanded Edition
- CES '09: Nvidia Shows Off Ion
I'm guessing that they hacked the algorithm using 200 PS3s utilising the power of the Cell processor, as the article says nothing about the PS3!
If this is also how they did it, how long did it take? Did the 200 PS3s do it in a day or have they been running for days or even months?
Nice to know that SSL isnt as secure as everyone thinks (Nothing is secure if you have the time and resources to try to hack it) but not the best written article ever, not near the normal TH level.
M_Taylor40
In my opinion the most dangerous threat to the internet is the erosion of net neutrality.