Tuesday, February 10, 2009

Online security dented by certificate hack

Is internet banking safe? Yes it is, if we use little bit of our intelligence

A group of academics has succeeded in breaking a key security feature used by banks to protect online banking websites.

The exploit allows hackers to replicate trusted certificates issued by organisations called "certificate authorities". These trusted certificates are used to verify website certificates, which in turn verify the identity of a website or user for security purposes, such as during an e-commerce or online banking transaction.

Hackers can use the replicated trusted certificates to create forged website certificates. So far only certificate authorities using a cryptographic function to sign and verify digital certificates called the "MD5 algorithm" are vulnerable.

It could be used for identity theft. You might think you're going to a secure website, but in fact you could unknowingly be redirected to a site serving up malicious software. This exploit is potentially a huge problem for any organisation dealing with certificate authorities and for certificate authorities themselves.

Microsoft has issued an advisory to business customers asking them to contact their certificate authority for guidance and says it is working with certificate authorities to encourage them to upgrade to a newer algorithm.

Attacks were unlikely because of the expertise required, and only certificates signed using MD5 after the exploit was published were believed to be at risk.

My only advice to all my readers and users out there,

Please check the websites by clicking on the "padlock" to view the certificate's details, which shows the signature algorithm used.

No comments: