Researchers have uncovered a weakness in the internet’s digital certificate system that allows them to forge counterfeit credentials needed to impersonate virtually any website that relies on the widely used security measure.
Armed with more than 200 PlayStation 3 game consoles, the researchers are able to create a secure sockets layer certificate for any website of their choosing. The forged certificate causes all the major browsers to display a message indicating the website the user is visiting is legitimate because it’s been vetted by a trusted certificate authority using supposedly robust cryptographic measures.
Such attacks could make it easier for phishers to impersonate the sites of banks and other sensitive online services. The findings were presented Tuesday at the 25th annual Chaos Communication Congress in Berlin by researchers from Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, Eindhoven University of Technology (TU/e) in the Netherlands and independent labs in California.
“This break is major,” said Karsten Nohl, a cryptography expert and a researcher at the University of Virginia. “It definitely is the most wide-scale attack, because anything short of patching all browsers in the world to not accept the certificates, there’s nothing you can do to prevent it.”
The attack is based on known weaknesses in the cryptographic hash function known as MD5. In 2004, researchers from China showed it was possible to generate the same MD5 fingerprint for two different messages using off-the-shelf computer hardware. Three years later, a separate group of researchers – many who participated in Tuesday’s presentation in Berlin – built off of those findings by showing how to have almost complete freedom in the choice of both messages.
The latest findings take the known MD5 weaknesses a step further by showing how so-called collisions allow for the creation of valid digital credentials used by certificate authorities, which are appointed organizations that validate the authenticity of websites used for banking and other sensitive online activities. Once the researchers have generated the rogue certificate authority certificate, they can create SSL certificates for any site that will be accepted by just about any web-connecting device.
The vulnerability in the web’s SSL system is made possible by a handful of certificate authorities who continue to rely solely on MD5 to sign certificates. Even though the number amounts to a tiny fraction of authorities, all web browsers continue to accept MD5 hashes. The researchers didn’t identify the certificate authorities by name.
Jacob Appelbaum, one of the researchers who developed the proof-of-concept attack, said browser makers should take action to protect their users against the vulnerability. Among the measures his group is advocating is disabling the use of MD5 signatures, blacklisting rogue certificates, and the required use of more robust cryptographic hashes such as SHA-2 and, when ready, SHA-3.
The researchers began their proof-of-concept attack with more than 200 PlayStation 3 consoles running in a Linux cluster, which they used to generate millions of possible certificates. Once they found a pair that had a special collision in the MD5 hash, they requested a legitimate website certificate from one of the authorities that relies only on MD5 to generate signatures.
After copying the signature into a rogue certificate authority credential, they had the ability to generate widely accepted website certificates for any site of their choosing.
To prevent misuse of their certificate, they set it to expire in 2004, so only machines that are badly out of date can be tricked by their attack. Still, Appelbaum says, it should now be clear that MD5 is irretrievably broken and can no longer be trusted.
“We can control the output of the hashing function within specific constraints,” he says. “This means that when you use MD5 in digital signatures, you’re rolling the dice.” ®
lot's of candles...click below to watch (followed by a "making of" vid)
guest post by Jason Schupp
Warning: glimpses of nudity here and there, and it’s a bit brutal.
Although the Christmas season is over for this year, I think there’s room for one more Santa origin tale. From Finnish production company Woodpecker Films comes this short film on where Santas come from: “Rare Exports”, who have been delivering real Finnish Father Christmases since 1739. Warning: not for the easily squeamish. I’m never going to look at Santa the same way again.
Two years later, following a particularly bad incident, they had to shoot this reproachful safety film on the handling and care of the Father Christmas during shipping:
Hat tip to my friend Su, who pointed me towards these.
This is a blog post from Laughing Squid For more content like this, subscribe to the RSS feed, Twitter & FriendFeed.
Rare Exports, The Brutal Story of Where Santas Really Come From
Related posts:
- Over 13,000 Santas Converge in Derry For World Record
- Photos of Gonzo, A Brutal Chrysalis
Our friends at Cockeyed have just released their Modern Hobo Code that can be used mark warnings and points of interest in your town like the hobos used to do.
The legendary “hobo code”was a set of covert markings used to warn other hobos about danger or to clue them into good situations. As times have changed, a new set of code symbols have emerged to alert other hobos to circumstances in modern America. Perhaps you have seen them on your own city streets.
In October Cockeyed released their helpful series of Kids Halloween Candy Code.
image via Cockeyed
This is a blog post from Laughing Squid For more content like this, subscribe to the RSS feed, Twitter & FriendFeed.
Modern Hobo Code, Mark Warnings & Points of Interest In Your Town
Related posts:
- Kids Halloween Candy Code, Learn What Treats Homes Have
- Open Source Project Hosting Via Google Code
- J!NX: The Secret Code T-Shirt
- Reddit Goes Open Source, Releases Code To Public
- Zooomr Mark III Has Launched
Macworld 2009 takes place next week, Monday, January 5th though Friday, January 9th at the Moscone Center in San Francisco. The Expo opens on Tuesday after the keynote, which will not be giving by Steve Jobs this year, but instead delivered by Apple VP Philip Schiller. This is also the last year that Apple will be involved with Macworld.
For more Macworld coverage, check out Adam Jackson’s blog Macworld Bound.
Here are my photos from the Macworld 2008 Expo floor.
photos by Scott Beale
This is a blog post from Laughing Squid For more content like this, subscribe to the RSS feed, Twitter & FriendFeed.
Macworld 2009, The Last Year With Apple
Related posts:
- Apple Announces That This Will Be Their Last Year At Macworld
- Macworld 2008: Keynote, Rumors, Predictions, Events & Parties
- Macworld Expo Celebrity Checklist by The Joy of Tech
In 2008, power users tested a parade of new webapps and software bearing the "beta" disclaimer. Take a look at the beta releases that knocked your socks off the most this past year.
Firefox 3
Prior to its Guinness World Record-setting launch in June, in true open-source fashion Mozilla rapidly iterated Firefox 3 beta releases and brave testers ate 'em up, excited by the Firefox 3's promising new features.
Windows 7
While not officially out in beta form until yesterday, the Windows 7 Preview release made the rounds on file-sharing networks across the internet. Due out in 2009, here are the top 10 things to look forward to in Windows 7.
Ubuntu "Hardy Heron" and "Intrepid Ibex"
New Ubuntu releases always score high on the interest-o-meter for free software advocates, and the beta releases of version 8.04 "Hardy Heron" and 8.10 "Intrepid Ibex" were no different.
Google Chrome
Just this month it officially graduated out of beta, but when the Google Chrome beta launched in September it added renewed interest and heightened competition in the ongoing browser wars. See our Power User's Guide to Google Chrome.
PwnageTool
Jailbreaking your iPhone and iPod touch to run non-Apple-approved apps was one of your favorite activities of 2008, so when one of the easy tools to do that—PwnageTool—updated to support Apple's new iPhone software, you rushed to get the download. These days PwnageTool is on version 2.2 and supports the most recent iPhone software version; Windows users want to grab QuickPwn to do their jailbreak.
DropBox
The private, invite-only beta release of DropBox generated the longest comment thread here on Lifehacker all year—made of readers begging for an invite. Nowadays, invites are no longer necessary for the public file storage service. See how Adam uses DropBox as the ultimate password syncer.
Internet Explorer 8 Beta 1
Mozilla and Google aren't the only companies working on a new browser. This little organization called Microsoft still holds the majority marketshare of browser usage, and the next iteration of Internet Explorer— IE 8 Beta 1—is a preview of what the rest of the world will be using on to browser the web next year.
XBMC Atlantis
Though it graduated from beta this past November, the public beta of XBMC Atlantis' promise to bring the favorite open-source media player to all hardware got lots of interest and attention.
Ubiquity Firefox Extension Prototype
One of the most interesting bits of browser innovation we saw this year, the Ubiquity prototype adds key commands and webapp integration that makes you go "ok, we're living in the future." See the Ubiquity video demonstration to get a preview.
BumpTop Beta
BumpTop, the eye-popping new desktop interface for Windows turns heads in its amazing demonstration video, as a user moves, piles, fans, and lassos digital files the way you would paper documents on a physical desktop. You've still got to sign up to get an invite into the BumpTop beta to try it out yourself.
What were the most exciting beta releases of 2008?
( surveys)
If you need a logo but you're lacking the design chops to whip one up, score a free one at LogoInstant.
LogoInstant is a design service that cranks out a new logo every day. The logos are completely free for both personal and commercial use and come in a layered Adobe Photoshop source file so you can edit the name or make more advanced changes. For more logo resources, check out LogoYes a flash based logo creator.
We asked our editors and contributors to create a blue-sky wishlist for all things productivity and software in 2009. Read on for their responses, and to contribute your own do-wants for the new year.
We asked our respondents to be realistic—more "Gmail gets better RSS features" than Brain-Reading Omega Organizer—but also think in broader terms about what would help them get more things done, or just live their lives a bit easier. Here's what they had to say:
Photo by le.
Gina Trapani
Editor
Stronger filters and easier ways to hear from people and about things
I care about, like:
More cloud computing and data storage, but also more privacy and
security around it, like:
Random feature requests:
Kevin Purdy
Associate Editor
Jason Fitzpatrick
Weekend Editor
"I want more data portability and interoperability. I don't want to
have to upload things multiple times to different sites. I don't want
to check multiple inboxes. I don't want to have three voicemail boxes.
I don't want to feel like I'm constantly handling and rehandling data,
contacts, etc. .... For an over
stretched professional it's just too big of a pain in the ass to try
out something new (that may end up being very helpful and
revolutionize your workflow) if it means hours or days of wrangling
data from one system to another and so on ... Unless my mom can set up a unified inbox without
calling me and eventually having me come over and help her do it, I
don't consider it a practical solution
On a related note... I love seeing things emerge like GPS enabled
to-do lists that remind you when you're in physical proximity to the
task at hand and so forth. I want to see that pushed further and
further. I want a personal digital assistant that makes suggestions. I
want to feel like the real power of modern computers, the cloud, and
the enormous amount of data out there is being harnessed.
car shopping, etc."
Wendy Boswell
Lifehacker Alumnus, About.com Web Search Guide
"I would love to see an application developed that’s similar to OpenID, except for job search engines and job search sites. My husband is currently looking for a new position (sys admin, any takers? Bueller? Bueller?) and it’s extremely tiresome to fill out forms over and over. Sure, Roboform works in some cases, but for the most part it doesn’t.
I’d also love for Google to include more clustering in their search results, much like Clusty or Ask.com. This would definitely cut down on the spammy results that seem to be more and more prevalent, and would certainly be more effective than the latest Google “innovation” of voting results up or down."
Keith Robinson
Lifehacker Alumnus, Creative Director at Blue Flavor
"I've never been one to rely on technology for my productivity. I'm not into finding the next, best GTD application, for example. Most of my productivity comes from good, old-fashioned elbow grease. I find a little hard work and discipline every day more helpful than any Gmail trick, to-do application or keyboard short cut. Having said all of that, I'm really looking forward to seeing software, like Cultured Code's Things, work really well on my iPhone. I'm spending more and more time away from my laptop (aka my Back Up Brain) and I need my mobile device of choice to carry more of the weight. I've got high hopes for 2009 being a year where mobile software (iPhone- and productivity-specific or not) really comes into its own."
The How-To Geek
Contributor, blogger
Jared Goralnick
Contributor, "Productivity Evangelist," creator of AwayFind
"In 2009, I’d love to see more anti-technology technology: applications that don’t add a supposed “layer of convenience” on top of my existing tools, but actually pull a layer out from the middle, simplifying rather than offering flexibility or functionality. For instance, I don’t want more information about my Twitter or email, I want fewer places to not only check but interact with (preferably relevant) incoming messages.
Much as I enjoy software that adds nuance to my workflow, I’d love to see more tools that take little nurturing but manage to decrease the amount of time I spend overall, much like a pill that you take every day, recognizing its essential value without working too hard to get it."
Jason Womack
Contributor, performance trainer, consultant
"Do you know how sometimes people sit in meetings and don’t give their full attention to the discussion topics? The 'Killer Productivity App' of 2009 would be less a gadget, and more a mindset—a mantra, really:
'I’m easily capturing next actions and multi-step projects as they appear.'
Any tool or system that I see work – that is a tool or system that people actually work – must incorporate that focus. So, going into the next 12 months, I personally am going to be working over time to manage my words...to promise AND deliver, every time."
Your take
That's what our own stable of productivity and software thinkers came up with for their 2009 wishlists. What do you really want to see in the new year? Is it a specific app or gadget, a system that could use a reboot, or something that's just not there? Tell us about it in the comments, and we'll round up the best responses for a future post.