Secure your browser

Overview of the attack

SSL (Secure Sockets Layer) is a protocol for providing security between YOU and the web server you connect to. Sensitive transactions such as e-banking are often secured using SSL. Servers are issued so called certificates by trusted third parties, so called certificate authorities (CAs), which tie the URL you type into your browser to a specific physical entities. It is the job of these trusted third parties to ensure that the certificates they issue really match the entities they claim to belong to.

By being able to issue certificates with arbitrary names, an attacker may circumvent the main security measure protecting e-commerce web sites. Secondary attacks such as DNS spoofing then allow him to completely impersonate targets, such as banks, online retailers or auction sites.

Our attack exploits a recently discovered problem in cryptographic libraries that are used by a significant share of browsers. Plainly speaking, these browsers not only accept valid certificates but also approximations to valid certificates. We can generate these approximations on a modern PC in less than 10 minutes. The credit for discovering this problem goes to Daniel Bleichenbacher, who presented it in a 5 minute talk in Santa Barbara, California on August 22nd 2006 at an annual conference of cryptographers.

Technical background

We have developed an implementation for the attack recently presented by Bleichenbacher during the CRYPTO 2006 rump session. In essence, by making use of a common implementation error, an attacker is able to forge arbitrary certificates if the signing certificate has a public exponent of 3. By using a minor modification to the attack, we were able to make it work for smaller modulus sizes, such as 1024 bit moduli. Following this implementation we did a survey of browsers affected by this security vulnerability and found that there are CA certificates with a public RSA exponent of 3 installed by default in all major browsers. Practical tests showed that we are indeed able to carry out the attack fully for the affected browsers listed below.

Firefox

Firefox browsers with a version number below 1.5.0.7 are vulnerable. Please upgrade your Firefox to the latest version. The Mozilla foundation has released a security advisory for this problem. Note that the beta versions of Firefox 2 are also vulnerable!

Mozilla / SeaMonkey

Mozilla users: please upgrade to SeaMonkey or another supported browser. SeaMonkey users, please upgrade to version 1.0.5 or above.

Opera

Opera up to version 9.01 is vulnerable to the attack. Opera has released version 9.02, which contains a fix. All Opera users should upgrade their browsers to at least version 9.02. Opera 9.01 will search for updates once a week and notify the user about available updates.

Netscape

The Netscape browser series is no longer officially supported. Please upgrade your browser to a supported browser such as SeaMonkey. We have tested Netscape 4.79, Netscape 6.2.3 and Netscape 7 which all proved to be affected.

Konqueror

The Konqueror browser by the KDE project links against the OpenSSL cryptographic library, which was recently patched against this vulnerability. Please make sure that your OpenSSL library is up to date!

Unaffected browsers

We have determined the following browsers to be unaffected by this security vulnerability:

Microsoft Internet Explorer 6 (as shipped with Windows XP SP2)
Apple Safari 2.0.4 (Mac OS X 10.4.7)

Workarounds

If you cannot upgrade your browser, we strongly recommend you to remove CA certificates with RSA public exponent 3 from your browser. We have determined the CA certificates with the following Distinguished Names to be affected:

C=US, O=Digital Signature Trust Co., OU=DSTCA E1
C=US, O=Digital Signature Trust Co., OU=DSTCA E2
C=US, O=Entrust.net, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Client Certification Authority
C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambers of Commerce Root
C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global Chambersign Root
C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority

Please note that removing the above certificates merely is a stop-gap measure. We have also found some of the Certificate Authorities installed by default having issued CA certificates with a public exponent of 3, one example being Valicert, Inc. signing another CA certificate for Starfield Technologies, Inc.

Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy Validation Authority, CN=http://www.valicert.com//emailAddress=info@ valicert.com

Subject: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://www.starfieldtech.com/repository, CN=Starfield Secure Certification A uthority/emailAddress=practices@starfieldtech.com

This means that the only real fix is to upgrade your browser to a version not showing this vulnerability. Removing the above CA certificates however limits your exposure.

Who we are

This work has been done by Erik Tews, Alexander May and Ralf-Philipp Weinmann. We are members of the research groups Cryptography and Computeralgebra and Cryptographic Protocols at the TU Darmstadt in Germany. We have been supported by the Darmstadt Centre of IT Security. The possibility of an attack against SSL-capable browsers came to our attention during an audit of our own software, the open-source Java cryptography provider FlexiProvider. The FlexiProvider software was found to be immune against the implementation flaw described by Bleichenbacher.