1. Home
  2. Wireless Networking
  3. How to identify & protect from hacked SSL MD5 certificates

How to identify & protect from hacked SSL MD5 certificates

When I look at my "certificates" in Firefox, for Gmail, for example, it says SHA1 fingerprint and MD5 fingerprint, e.g., for Thawte SGC CA (i.e., mail.google.com).

Does this mean this is a site that can easily be compromised?

If so, what do we do in Firefox 3.0.5 on Windows to protect from a spoofed site?

Reply to
Pat
Loading thread data ...

I noticed 97% of the errant certificates are signed by the budget operation RapidSSL.

Is there a way to delete just the RapidSSL certificates from Firefox?

When I looked in my browser, all the certificates had an MD5 hash so I wasn't sure which ones to delete for safety.

Reply to
pattilucero

There was good information here that only the Equifax was compromised so far so I've deleted all the Equifax certificates in my browser.

formatting link
But, I really don't know what I'm doing.

Is there a way to protect ourselves today from this flaw?

Reply to
pattilucero

Bummer. According to

formatting link
"Unfortunately it is not possible to determine the hash function a CA uses from the CA certificate. We had to look at (website) certificates issued by the CAs instead. Over the course of a week we spidered the web and collected more than 100,000 SSL certificates, of which about 30,000 were signed by CAs trusted by Firefox. There were six CAs that had issued certificates signed with MD5 in 2008:

  • RapidSSL C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1 * FreeSSL (free trial certificates offered by RapidSSL) C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=
    formatting link
    CN=UTN-USERFirst-Network Applications * TC TrustCenter AG C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/emailAddress= snipped-for-privacy@trustcenter.de * RSA Data Security C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority * Thawte C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress= snipped-for-privacy@thawte.com * verisign.co.jp O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

Out of the 30,000 certificates we collected, about 9,000 were signed using MD5, and 97% of those were issued by RapidSSL."

Reply to
pattilucero

I found the answer. Yes. We have to look inside the certificate to see the "tumor", which is relatively easy to find once you know what to look for.

Mozilla did release an advisory

formatting link

Reply to
pattilucero

To find certificate vulnerable to pharming, in Mozilla,

Tools > Options > Advanced > Encryption > View Certificates Select a certificate View > Details > Certificate Signature Algorithm

Reply to
pattilucero

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.