The length of an RSA public key gives an indication of the strength of the encryption — the shorter the public key is; the easier it is for an attacker to brute-force. An attacker, armed with a compromised private key derived from a short public key, would be able to decrypt both past and future SSL-secured connections if she were able to incept the encrypted traffic. She could also impersonate the organisation to which the SSL certificate was issued if she has the opportunity to manipulate DNS lookups. Both the CA/B Forum (a consortium of certificate authorities (CAs) and major browser vendors) and NIST [PDF] (the agency which publishes technical standards for US governmental departments) have recommended that sub-2048-bit RSA public keys be phased out by the end of 2013.
According to the CA/B Forum's own Baseline Requirements [PDF] — effective 1st July 2012 — member certificate authorities are required to reject a request to sign an RSA public key shorter than specified in the following table:
Certificate expiry date Minimum RSA public key length On or before 31st December 2013 1024 After 31st December 2013 2048
Nevertheless, these key sizes are not guaranteed as several CA/B Forum members have issued several non-compliant SSL certificates since 1st July 2012. Trustwave, Symantec, KEYNECTIS, and TAIWAN-CA have all signed certificates which fall foul of their organisation's requirement of 2048-bit RSA public keys for certificates expiring after 2013, demonstrating that the key length requirement is being treated as a guideline (which by definition is neither binding nor enforced), rather than a rule.
They are by no means the only CAs signing short RSA public keys: more than 10 years after Netcraft's first blog post on the topic and 12 years after RSA-155 [PDF], 512-bit RSA public keys are still appearing in SSL certificates. A 512-bit RSA public key was signed as recently as July 2012 by Swisscom.
Most, but not all, of the major browser and operating system vendors either disallow access or display a warning message when accessing a website using an SSL certificate with a 512-bit RSA public key. The latest versions of Safari (although not the mobile version on iOS 5.1), Opera, Google Chrome, and Internet Explorer (via an update to Windows; planned to be rolled out in October 2012). Notably, Mozilla Firefox does not yet reject such certificates.
More than a thousand websites – including several government sites – are still using SSL certificates with weak signature algorithms.
Netcraft's August 2012 SSL Survey shows there are 1,300 websites still using SSL certificates that have been signed using the cryptographically weak MD5 digest algorithm. This algorithm is demonstrably vulnerable to several types of attack, including collision attacks.
The first use of this vulnerability against SSL was demonstrated back in December 2008, when security researchers showed how an MD5 hash collision could be exploited to create a rogue certificate authority (CA) certificate that would be trusted by all common web browsers. This rogue certificate could have been used to sign arbitrary subscriber certificates, thus allowing an attacker to convincingly impersonate any secure website on the internet.
At the time of the 2008 discovery, Netcraft's SSL Survey showed that 14% of all SSL certificates were signed using the vulnerable MD5 algorithm.
A few months later, the developers of Google Chrome suggested that some browser developers would be dropping support for MD5-signed certificates at some point; however, given the number of sites still using MD5-signed certificates, it was thought that suddenly removing support for such certificates would have a undesirably large impact on users.
As the majority of MD5-signed certificates have since expired or been replaced, browser vendors and certificate authorities have been gradually phasing out support for such certificates. Apple removed support for MD5-signed certificates in an iOS 5 update last year, and Chrome's developers subsequently revisited the issue and revised their browser to display an interstitial warning about MD5 being a weak signature algorithm. This immediately caused problems for users of certain corporate proxies, where a man-in-the-middle approach was used to decrypt SSL traffic before presenting it to the client with a trusted MD5-signed certificate.
The CA GeoTrust has added the affected certificates to its certificate revocation lists at http://www.geotrust.com/resources/repository/crls/, which has resulted in the certificates being rejected as invalid in many of today's browsers, including Chrome, Opera and Internet Explorer. However, sites which currently use MD5-signed certificates can be viewed with the latest version of Mozilla Firefox without receiving any warnings, as the relevant certificate revocation lists have to be added manually, and none of the certificates specifies an OCSP server for checking the revocation status.
The CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates [pdf] no longer allow the MD5 digest algorithm to be used for root, subordinate or subscriber certificates. All but two of the 1,123 unique MD5-signed certificates still in use on the web were issued by Equifax between 2006 and 2008, with validity periods ranging between 4 and 6 years.
The remaining two MD5-signed certificates were issued by VeriSign. These do not appear to have been revoked, but are due to expire in less than a month. In the worst case, all MD5-signed certificates currently in use on the web will have expired naturally by March 2014, regardless of whatever measures have been taken by browser vendors and certificate authorities.
Several government websites are currently operating with MD5-signed certificates, including a few in Australia, a couple in New Zealand, and one in each of Ireland and the UK. The most recently issued certificates are marked as being valid from 30th December 2008 – the same day as the publication of the hash collision demonstration.
Other notable users of weak MD5-signed certificates include Reliance Bank, Commencement Bank, several online billing websites, dozens of corporate webmail services, purportedly secure hosting providers, a number of schools and universities, and even a reseller of GeoTrust SSL certificates.
Nine months after its launch, content distribution network CloudFlare is now used by more than 40 thousand sites in Netcraft's web server survey. The company announced its public beta at TechCrunch Disrupt in September 2010, where it came in as a close runner-up. Despite not winning, CEO Matthew Prince later described how Disrupt brought his team together and resulted in an increase in signups without having to carry out any additional PR or marketing.
CloudFlare also gained customers after recent praise from LulzSec, who use the service to run their website at lulzsecurity.com. LulzSec have accrued more than 200 thousand followers on Twitter as a result of their attacks against high-profile targets such as Sony, Fox, PBS and the X Factor.
When a website uses CloudFlare, client requests are made to a global network of edge nodes rather than to the website itself. This can increase performance, particularly when an edge node is located somewhere that can respond faster than the website's original hosting location.
By monitoring site traffic, CloudFlare can also offer some protection against denial of service attacks. When malicious traffic is detected, it can be automatically blocked at the edge nodes, before the traffic hits the website. Matthew Prince reported some DDoS attacks against CloudFlare yesterday, but noted that the service had not been impacted.
However, AnonNews used to be a prominent user of CloudFlare until the service was disabled after a DDoS attack affected the CloudFlare network. With traffic instead being routed directly to the server hosting anonnews.org, it has been seemingly unable to withstand the current series of attacks against it. The domain is registered to Sven Slootweg, who told Netcraft, "They had to turn it off on my domain for the past few days because of a really large DDoS attack." He added, "It apparently seriously affected their network. There is one or more Turkish patriot hacker groups constantly attacking AnonNews."
Nonetheless, CloudFlare's growth is continuing at a strong rate. The accessibility and cost of the service is undoubtedly playing a large part in this success – no contracts are required, and users can either sign up for free, or pay only $20 per month for a Pro account which offers better performance, advanced security protection and real-time stats. CloudFlare will also be offering an enterprise service soon.
A new SSL certificate authority may be set to shake up the market by offering free 3 year domain validated certificates. AffirmTrust announced its entry into the SSL market yesterday, with an interesting mission statement:
"To give away as many free certificates as possible because we can - also it is just a lot of fun. We want to move an industry forward making security more available to every legitimate merchant on the Internet. AffirmTrust is not just a business - it's a quest to make meaningful change that benefits both merchants and consumers."
Although the company is new to the market, AffirmTrust's management team already has several years of relevant experience behind it – they were responsible for co-founding SSL company GeoTrust, which was later acquired by VeriSign in 2006 for $125 million. Today, the GeoTrust brand is owned by Symantec, which acquired VeriSign's security business last year.
AffirmTrust is not alone in giving away free SSL certificates. Eddy Nigg's StartSSL also offers free domain validated certificates, although these are only valid for a period of 1 year. Both companies also sell Extended Validation certificates, which require a more costly vetting process to ensure they are only issued to legally established businesses or organisations.
Domain validated certificates are generally the cheapest type of certificate available. This is because the issuance process can be automated to a high degree, as the applicant does not have to prove their identity – all they have to do is prove that they own (or control) the domain in question. This has no doubt played a large part in the popularity of domain validated certificates compared with Extended Validation certificates, particularly amongst low-traffic, low-revenue websites.
Despite the free alternatives, the paid-for domain validated certificate market still looks extremely healthy today: Netcraft's latest SSL Survey shows Go Daddy having the largest net growth in domain validated certificates during each of the past 4 months. With that in mind, it will be interesting to see the impact that AffirmTrust will have on the market, and whether any other companies will follow suit by offering free domain validated certificates.
www.paypal.com was unavailable to most customers for more than an hour today, with no estimated time for resolution during the outage. PayPal uses scheduled maintenance windows every Thursday and Friday from 11pm to 1am PST, but this rarely results in any noticeable downtime, and today's outage extended beyond that window.
PayPal's payments API was also unavailable, which will have affected many online retailers, including PayPal's owner, eBay. A statement from eBay at 12:52am PST said: "EBay [sic] is currently experiencing checkout problems. Community members may see errors or timeouts when attempting to pay for an item. We are working on the problem and apologize for the inconvenience."
A live status update on the PayPal X Developer Network stated that there was no alternative work-around to the problem:
The problems with the PayPal website and payment APIs were resolved at 1:23am.
Renesys earlier confirmed that Egyptian internet providers had returned to the internet just before 09:30 UTC; however, a few important sites mysteriously went back offline a short while later. www.mcit.gov.eg came online for a brief period, but then went offline again less than an hour later:
Before Egypt shut down internet access, the online collective Anonymous had been carrying out a distributed denial of service attack against this site; however, that attack did not appear to succeed at the time. Meanwhile, www.egypt.gov.eg has been online solidly since Egypt returned to the internet, whereas www.moiegypt.gov.eg has been coming and going:
This site was also attacked as part of an online protest by Anonymous, which resulted in some short outages on 26th January. A tweet from AnonymousIRC suggests that this site may be being kept offline by a second DDoS attack:
We are continuing to monitor the performance of several Egyptian sites at http://uptime.netcraft.com/perf/reports/performance/wikileaks