SSL Websites Not Secure Enough, say Researchers

Pretty much anyone with a basic knowledge of web security knows to look for the padlock symbol and an address beginning 'https:' before typing in personal or confidential details. But security researchers say the system behind this safeguard may not be as secure as believed.

You shouldn't panic immediately, however: the workaround was found by legitimate researchers and the full details are being kept secret for obvious reasons. It would also take both intensive computer power and some other hacking tricks for criminals to exploit the loophole. At the moment, the security gap is more of a principle issue than a practical one.

The issue involves the web's security certificate system, known as SSL (Security Sockets Layer). The 'https:' address and padlock symbol show that data sent to and from a site will be encrypted and that the site has a legitimate security certificate proving it really is owned by the person or organization that it claims. The certificate is checked by a third-party authority.

The problem is that both the encryption and the certificate verification are carried out with a mathematical algorithm -- in effect, a series of calculations. Some of the authorities which check certificates still use an algorithm named MD5 which involves what is effectively a password of 32 letters or numbers.

While this seemed perfectly adequate when it was devised in 1991, security experts say it isn't suitable for today's Internet use. Researchers have now found that using a barrage of computers, equivalent to a single machine working for 32 years, it's possible to successfully forge a security certificate to an authority using MD5. (Source: cnet.com)

Alexander Sotirov, one of the lead researchers in the project, says the loophole isn't really a bug as the software does exactly what it is designed to do. The problem is that modern computing power is strong enough to crack MD5 and that all certificate authorities should switch to a more modern alternative.

Some authorities are already using SHA-1 which, rather than a 32 digit password, has one of more than 18 million trillion digits (and yes, that's a very large number). (Source: nytimes.com)