De Koopman

Benne de Weger van de TUe en Marc Stevens van het CWI staan met 5 wetenschappelijke teamgenoten aan de basis van wat een bom mag heten onder de veiligheid van internet. De veilige onderlaag bij digitale transacties SSL [?] is te spoofen, om de tuin te leiden.

The Register legt uit:

“Researchers have uncovered a weakness in the internet’s digital certificate system that allows them to forge counterfeit credentials needed to impersonate virtually any website that relies on the widely used security measure. (…)

The latest findings take the known MD5 weaknesses a step further by showing how so-called collisions allow for the creation of valid digital credentials used by certificate authorities, which are appointed organizations that validate the authenticity of websites used for banking and other sensitive online activities. Once the researchers have generated the rogue certificate authority certificate, they can create SSL certificates for any site that will be accepted by just about any web-connecting device. (…)”

Vandaag presenteerde het team van wetenschappers hun bevindingen op het jaarlijkse Duitse hackerscongres van Chaos Computer Club (CCC).

De technische beschrijving van de hack staat op deze webpagina van de TUe beschreven en hier in het kort.

News.com legt de praktische consequenties voor het publiek, banken en webwinkels uit:

“(…) The problem is unlikely to affect most Internet users in the near future because taking advantage of the vulnerability requires discovering some techniques that are not expected to be made public as well as overcoming engineering hurdles: performing the initial digital forgery consumed approximately two weeks of computing time on a cluster of 200 PlayStation 3 consoles. In addition, a criminal needs to find a way to reroute traffic from a legitimate Web site to his own, perhaps through techniques that have become well-known in the last few years. (…) Unlike most security issues, this problem cannot be fixed with a simple software update. (…)”

Foto: Alex Klink