This past week saw the cracks appearing in the oft-toted “Silver-Bullet” of ecommerce security: The SSL Certificate. Now granted, the “Silver-Bullet” remarks usually come from mis-informed ecommerce webmasters, and not from information security practitioners themselves; but, there does seem to be this aura of “I’ve got SSL, NOBODY can Hack ME!”
Let’s get some things straight to start of with: first, the vulnerability announced is not a flaw of the PKI itself, but of MD5-Signed Certificates. (As an aside, if you need a refresher / primer on SSL Certs & PKI, here is a good one.) Bascially, any MD5-signed Certificates could be counterfeit, ie, the website is actually a phishing site for PayPal, even though the Certificate may check out fine. Fortunately, MD5-signed certificates were already being replace with SHA1-signed certificates because of already well-known weaknesses in the MD5 algorithm.
What does this all mean pratically? Well, for one, as of this writing, facebook is still using a MD5-signed certificate. They have appareantly changed to SHA1 within the past 5 hours. DNSstuff.com, VistaPrint.com, among many other fairly large websites are still using MD5-signed certificates.
There are other sites out there that may have no idea, especially smaller ecommerce sites. So how do you protect your self?
If you are using Firefox (Which I’m sure you are! :), you can install the SSL Blacklist add-on from here.
This add-on will pop up a box that tells you if the site you are visiting had a MD5-signed certificate. Obviously you can find this info yourself by examing the website, but it can be time-consuming, and I know I would forget!
Now if SSL Blacklist does pop-up
It does not neccesarily mean that, for example, dnsstuff.com is acutally not the real McCoy. It just means that it is possible that, because dnsstuff.com still uses a MD5-signed certifiate, it might not actually be the real McCoy.
This is where you make your choice. Do you still login to the site, or do you get out of there until dnsstuff.com fixes their certificates so that you do know it is them? If my banking site still had MD5-signed certificates, I would never login, until they got it fixed.
After all the warnings, the Flashing Red Lights, etc, when it really comes down to it,
You are only as secure as you choose to be.