Security researchers have successfully generated a rogue SSL certificate signing authority using weaknesses in the MD5 hash, effectively letting them impersonate even those web sites using SSL encryption. MD5 is used to create signatures for authenticating data. Any very long string of data can be computed into a short MD5 hash. The security comes because even a tiny change to the input data makes the MD5 hash change completely. The start of this hack was the discovery of how it's possible to generate two sets of input data that compute into identical MD5 hashes.

Using a supercomputing cluster of 200 PlayStation 3 consoles, the team was able to construct an SSL signing key that passes MD5 checks for a known SSL signing authority. These signing authorities are trusted companies that vouch for others. Your web browser doesn't contain encryption keys for the millions of website supporting SSL. Instead, it trusts a select few of these authorities, which in turn then verify other signing authorities as being on the up-and-up, which then verify that the SSL certificate used on your bank's web server actually belongs to your bank, and not some group of hackers putting up a fake site.

By faking the MD5 hash of one of these trusted signing authorities, the researchers are able to make fake SSL certificates for any website they want and your browser will verify it as legitimate. For now the hack isn't publicly available, takes six months or more to implement due to the tremendous amount of processing and planning required, and hasn't fallen into the hands of any criminals. Researchers are already working on ways to prevent the attack, including possibly switching form MD5 to a more secure hash.

This story around the web: