Tips for safer SSL’ing

Despite what some people (including RapidSSL) said about the recent MD5 collision attack on SSL, the truth is that just because RapidSSL stopped using MD5 for issuing certificates it doesn’t mean the world is safe again.

The researchers were able to create a rogue Certification Authority certificate. That means they have a valid CA certificate, or that they can create any certificate they want for any site. No one tells me that a crime organization wasn’t able to do the same, and if they were, it doesn’t really matter that RapidSSL stopped using MD5 or not. In theory, RapidSSL would need to revoke its Root Certificate to make sure the problem was solved. The problem is that each certificate contains a URL so the browser can check if the certificate was revoked or not. The researcher’s rogue CA certificate had very limited space and it was impossible to include such a URL, which means that by default both Internet Explorer and Firefox are unable to find a revocation server to check their certificate against. Basically it’s up to the Browser vendors to solve the problem permanently by stop accepting certificates that use MD5 for example.

SSL is subject to many types of attacks, specially Man-in-the-Middle attacks. Users usually ignore SSL warnings so they’ll most likely not notice a Man-in-the-Middle attack. One way to be more protected is to install Perspectives, a Firefox plugin, developed by a couple of grad students from Carnegie Mellon University, that monitors the certificates used in the sites you visit, and warns you if the certificate has changed.

So let’s imagine you want to login on your Homebanking to make some wire transfers (or any other site that uses SSL). Here is a list that will make your SSL browsing safer:

  1. Make a bookmark of your Homebanking. Double check that the URL is correct.
  2. Install Perspectives
  3. If your browser is running, please quit it and run it again (so it’s a fresh run).
  4. Go to your bookmarks and click on the Homebanking bookmark. DO NOT load any webpage before the Homebanking one. Make sure the Homebanking is the first page loaded.
  5. Make sure Perspectives says the Homebanking site is safe
  6. Now it is safer to use the Homebanking. You can do whatever you want to do there now.