On December 30, 2008 at the Chaos Communication Congress in Berlin, three researchers presented a paper in which they had used an MD5 collision attack and substantial computing firepower to create a false SSL Certificate using the RapidSSL brand of certificates.
Symantec are happy to announce that this attack articulated was rendered ineffective for all SSL Certificates available from Symantec by 11am PST of the same day.
Q: Are the researchers’ claims about the MD5 vulnerabilities accurate?
A: Because the researchers did not brief Symantec on their findings, we have only gotten this information today. There is nothing in the research that upon cursory examination appears to be inaccurate. As we have the opportunity to properly examine this paper, we will have a more definitive response to this question.
Q: How has Symantec mitigated this problem?
A: Symantec has removed this vulnerability. As of approximately 11:00 am this morning, the attack laid out this morning in Berlin cannot be successful against any RapidSSL certificate nor any other SSL Certificate that Symantec sells under any brand.
Q: As a site operator what do I need to do to protect the security of my site?
A: No action is required of our customers. No existing certificates are affected by this attack and the vulnerability has been rendered ineffective for all RapidSSL Certificates moving forward.
Q: Is Symantec going to stop using MD5 as a result of these findings?
A: Symantec has been phasing-out MD5 over the past two years; the planned phase out date has been on the roadmap for late January 2009 (less than one month from now). In light of today's presentation, Symantec will be accelerating this phase-out to the earliest safe date. We will notify the public when the phase-out is complete. As of today, we have discontinued using MD5 when we issue RapidSSL certificates, and we've confirmed that all other SSL Certificates we sell are not vulnerable to this attack.
Q: Why has it taken so long for Symantec to phase out MD5?
A: Sunsetting a legacy technology within a business ecosystem takes time to be phased out as revoking and replacing certificates could potentially halt a customer's online business. As mentioned above, Symantec will be accelerating this phase-out to the earliest safe date. We will notify the public when the phase-out is complete.
Q: How many Web sites are affected?
A: Zero. The attack, when it worked, was a potential method for a criminal to create a new, false certificate from scratch. The researchers did not demonstrate an attack against existing end entity certificates. In other words, you can't use this attack to break a certificate that already has been issued to a site.
Q: Does the vulnerability impact only sites using RapidSSL certificates?
A: This vulnerability doesn't affect any existing end-entity certificates including RapidSSL.
Q: What happens to customers who have certificates in place using the MD5 hashing algorithm?
A: Today's research revealed a potential attack that required the issuance of new certificates. Existing end entity certificates are not at risk from this attack. Nonetheless, any customer who would like to do so can replace any MD5-hashed certificate free of charge. Until further notice Symantec is suspending its normal replacement fees for these certificates. Because this replacement is not necessary to ensure the continued security of sites, we are not requiring the replacement of such certificates, as we have previously with the likes of weak Debian keys.
Q: The researchers mentioned that Extended Validation SSL Certificates are not vulnerable to the attack because they do not allow MD5. Is that true?
A: This is correct; EV SSL Certificates utilize the latest hash algorithm and are not affected by the newly-revealed MD5 vulnerabilities. Today the MD5 researchers specifically reinforced that EV SSL Certificates are safe from this attack. They stressed the need for consumers to move to EV-compatible browsers to get the most benefit from EV.
Q: Is Internet security broken?
A: Hardly. The presenters of this morning's paper stressed that it took them a long time and a great deal of computational power to succeed in their collision attack. Symantec has already eliminated the attack as a possibility.