Governments and banks still using weak MD5-signed SSL certificates

More than a thousand websites – including several government sites – are still using SSL certificates with weak signature algorithms.

Netcraft's August 2012 SSL Survey shows there are 1,300 websites still using SSL certificates that have been signed using the cryptographically weak MD5 digest algorithm. This algorithm is demonstrably vulnerable to several types of attack, including collision attacks.

The first use of this vulnerability against SSL was demonstrated back in December 2008, when security researchers showed how an MD5 hash collision could be exploited to create a rogue certificate authority (CA) certificate that would be trusted by all common web browsers. This rogue certificate could have been used to sign arbitrary subscriber certificates, thus allowing an attacker to convincingly impersonate any secure website on the internet.

At the time of the 2008 discovery, Netcraft's SSL Survey showed that 14% of all SSL certificates were signed using the vulnerable MD5 algorithm.

A few months later, the developers of Google Chrome suggested that some browser developers would be dropping support for MD5-signed certificates at some point; however, given the number of sites still using MD5-signed certificates, it was thought that suddenly removing support for such certificates would have a undesirably large impact on users.

As the majority of MD5-signed certificates have since expired or been replaced, browser vendors and certificate authorities have been gradually phasing out support for such certificates. Apple removed support for MD5-signed certificates in an iOS 5 update last year, and Chrome's developers subsequently revisited the issue and revised their browser to display an interstitial warning about MD5 being a weak signature algorithm. This immediately caused problems for users of certain corporate proxies, where a man-in-the-middle approach was used to decrypt SSL traffic before presenting it to the client with a trusted MD5-signed certificate.

The CA GeoTrust has added the affected certificates to its certificate revocation lists at http://www.geotrust.com/resources/repository/crls/, which has resulted in the certificates being rejected as invalid in many of today's browsers, including Chrome, Opera and Internet Explorer. However, sites which currently use MD5-signed certificates can be viewed with the latest version of Mozilla Firefox without receiving any warnings, as the relevant certificate revocation lists have to be added manually, and none of the certificates specifies an OCSP server for checking the revocation status.

The CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates [pdf] no longer allow the MD5 digest algorithm to be used for root, subordinate or subscriber certificates. All but two of the 1,123 unique MD5-signed certificates still in use on the web were issued by Equifax between 2006 and 2008, with validity periods ranging between 4 and 6 years.

The remaining two MD5-signed certificates were issued by VeriSign. These do not appear to have been revoked, but are due to expire in less than a month. In the worst case, all MD5-signed certificates currently in use on the web will have expired naturally by March 2014, regardless of whatever measures have been taken by browser vendors and certificate authorities.

Several government websites are currently operating with MD5-signed certificates, including a few in Australia, a couple in New Zealand, and one in each of Ireland and the UK. The most recently issued certificates are marked as being valid from 30th December 2008 – the same day as the publication of the hash collision demonstration.

Other notable users of weak MD5-signed certificates include Reliance Bank, Commencement Bank, several online billing websites, dozens of corporate webmail services, purportedly secure hosting providers, a number of schools and universities, and even a reseller of GeoTrust SSL certificates.