This week brought news of a new and startling vulnerability in one of the core technologies used in e-commerce. When you buy something online, log into your bank’s website, or even access your corporate email account from home, you probably see a little lock icon appear in your browser and the address starts with https instead of just http. That extra s means it’s secure because communications with the server are encrypted. Now, don’t worry, that encryption still works, but what if this private conversation (buying something or transferring money between accounts, for instance) wasn’t with who you thought it was? Several months ago, I wrote about a dramatic series of events in Internet security revolving around a vulnerability discovered in the Internet’s Domain Name System (DNS). This vulnerability (which experts still can’t agree on a final solution for) made it impossible to know for sure if you were actually going to amazon.com when you typed that address into your computer. The one thing that was still safe was the secure sites, the ones that start with https, but that’s no longer true.
Those sites were still safe because in addition to the encryption, that extra s means that the first thing your browser does is verify that the server it’s talking to is really the site you’re trying to go to. It does this by relying on companies that are in the business of trust. These companies sell certificates used in the encryption process that certify the website is who it claims to be. All of our online economic activity relies on these companies. We trust them because they don’t give certificates to bad guys and this allows us to make sure that we’re actually talking to Amazon’s servers when we’re making a business transaction with them.
Now, back to the question about what if your super secret, encrypted conversation is with the wrong person, and you don’t know about it. The new discovery (presented at the Chaos Communication Congress) this week was a group that found a way to exploit a long-known bug in one of the cryptographic algorithms still used by a few of these companies that we all trust. This flaw allows the researchers and, by extension, any bad guys to forge certificates so that any server could appear to be amazon.com or anyone else, for that matter.
The practical implications of this are relatively small for three reasons. The first is that for it to be really effective, it would have to be combined with the DNS bug that I talked about previously. That bug and other similar ones are difficult to exploit and some changes have already been made to most of the Internet to help protect against such attacks. Secondly, while this kind of site verification is very useful, as others have pointed out it’s not how most identity theft happens and it never will be. A far larger portion of identity theft and fraud is caused by spyware and malware that makes its way onto your computer. Even social engineering leads to more identity theft than this will, given that nearly 65% of people would give out their email password for a chocolate bar. Also, most of the companies in teh business of trust don’t allow this “bad algorithm” to be used anymore, having updated years ago to better methods.
To fix this problem, the few companies that still allow this older algorithm only need to contact the companies they do business with and provide them with new certificates. Nevertheless, this is a great example of how fragile the Internet’s security is and how important it is that companies in the business of trust remain trustworthy. When those companies and the others we rely on to conduct business online don’t stay up-to-date with the latest security information and best-practices. The chances of this flaw affecting any one individual are relatively small, so you certainly shouldn’t stop buying things online, but it’s definitely worth being a little more careful with what you do online. If you’re particularly worried, read below to find a guide to help protect yourself against this problem.
How to protect yourself from this flaw: (Warning: this is a mildly technical):
These instructions are for Firefox 3. You can do this in pretty much any other browser, but the steps will be different. However, if you’re worried about protecting yourself online, the first and biggest thing you can do is to start using Firefox and always install the updates when it asks you to. Once you’ve got Firefox installed or if you already use it, log into some site that you know uses https (start to purchase something on Amazon, but don’t complete the transaction, log into your corporate email, etc.). Once you see that the address starts with https, open the Tools menu and click on Page Info. A new window will pop up with lots of interesting information, but you’re looking for the Security tab. Once there, you’ll see a button that says View Certificate on the right side about a third of the way down. Click on that and another window will open where you’ll want the Details tab. Look for the Certificate Fields area and click on the line that says Certificate Signature Algorithm. At the bottom of the window (just below Field Value) it will describe the algorithm that’s being used. If you see MD5 then the website you’re at is vulnerable to this flaw. If you don’t see MD5 at all, then you can be sure that you’re safe for now (as with all algorithms, it could be broken tomorrow, but it’s very unlikely). Then it’s up to you to decide whether or not to conduct business with a website that still uses MD5.
image from http://flickr.com/photos/mikeygottawa/