Is Your SSL Certificate Signed Using Vulnerable MD5?

md5, security, ssl — January 5, 2009 @ 1:28 am

Apparently 14% of SSL certificates were signed using vulnerable MD5 algorithm.

Netcraft’s SSL Survey shows that 14% of valid third party SSL certificates have been issued using MD5 signatures . an algorithm that has recently been demonstrated to be vulnerable to attack by producing a fake certificate authority certificate signed by a widely-trusted third party certificate authority.

The researchers achieved this by producing a hash collision . they submitted valid certificate requests to a certificate authority (CA), while producing a second certificate that had the same signature but entirely different details. When the CA signed the valid certificate, the signature applied also to the invalid certificate, allowing the researchers to spoof any secure website that they liked. This attack is the first practical use against SSL of already-known attacks against the MD5 checksum algorithm.

A lot of crypto mumble jumble there. For the mere mortals like us, it’s probably easier to just check the websites that we are hosting are indeed using the more hack-proof SHA1 rather than MD5 to sign the certificate.

Check on Your Browser

It’s relatively easy to do with modern browsers — just bring out the certificate dialog box and check for the “Signature Algorithm” field. Here’s one from Firefox:

Certificate on Firefox

And the equivalent on Internet Explorer.

Certificate on Internet Explorer

It says SHA so it’s safe (for now at least).

Check with OpenSSL

If you are a command line junky it’s pretty easy to download the certificate of a website using OpenSSL, and then check the signature algorithm in there. Here is a small script that does it.

#!/bin/sh
echo "HEAD / HTTP/1.0
Host: $1:443

EOT
" \
| openssl s_client -connect $1:443 2>&1 \
| sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \
| openssl x509 -noout -text -certopt no_signame \
| grep 'Signature Algorithm:'

So when you run it:

$ get_sigalg.sh www.google.com
    Signature Algorithm: sha1WithRSAEncryption

Looks like it’s safe over there. Let’s try someone else.

$ get_sigalg.sh www.<blah>.com.au
    Signature Algorithm: md5WithRSAEncryption

Oops! Thus the hostname has been hidden to protect the innocent. Check and make sure the SSL certificates of your sites are not signed with vulnerable MD5 hash!

Anonymous wrote:

The problem is, it doesn’t matter so much that your site uses SHA1 – if any registrar, anywhere, uses MD5, then your site (which is happily using a SHA1 cert on a sane registrar) can be spoofed. In fact, your site using MD5 isn’t really useful – if you read the attack paper, they need to predict the serial number of the certificate some time ahead in order to produce the so-called ‘birthday block’ that they need to convince the CA to embed into the certificate.

So, as a user, you should tell your browser not to trust MD5. And as a webmaster, you should make sure you’re not using MD5, because it won’t be long before browsers stop accepting it. But it’s not about ‘safety’ for the website itself; until browsers lock down MD5, everyone is vulnerable.

January 5, 2009 @ 5:26 pm

beamq wrote:

Most of our sites are using MD5. What can we do ?

July 30, 2009 @ 3:00 am