Secure web pages: industry alarmed by EPFL report

Rush is on to get owners of encrypted pages to switch to new keys

EPFL's Arjen Lenstra in 2006, professor, algorithm cryptology laboratory (photo ©2012 EPFL / Alain Herzog)

LAUSANNE, SWITZERLAND – A very high percentage of secured web pages, those “https” URLs we look for when we make payments, for example, are indeed secure, 99.8 percent. But the assumptions behind the SSL certificates system may be ill-founded, a group of researchers at EPFL, the Swiss federal polytechnic institute, has shown. And that leaves many sites unprotected, according to Bit-Tech, which notes that “while a 99.8 per cent security rating may seem impressive, the RSA public key cryptography system is incredibly widespread.”

The researchers, a team led by EPFL’s Arjen Lenstra, write in their abstract, that they “performed a sanity check of public keys collected on the web. Our main goal was to test the validity of the assumption that different random choices are made each time keys are generated. We found that the vast majority of public keys work as intended. A more disconcerting finding is that two out of every one thousand RSA moduli that we collected off er no security. Our conclusion is that the validity of the assumption is questionable and that generating keys in the real world for “multiple-secrets” cryptosystems such as RSA is significantly riskier than for “single-secret” ones.”

SSL certificates work by using encryption. Verisign‘s one of the world’s main SSL certificate providers, explains how the system works at the consumer level: “Each SSL Certificate consists of a public key and a private key. The public key is used to encrypt information and the private key is used to decipher it. When a Web browser points to a secured domain, a level of encryption is established based on the type of SSL Certificate as well as the client Web browser, operating system and host server’s capabilities.”

The findings have set alarm bells ringing in the industry. Bit-Tech reports that the system “underpins the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) used by almost every secure website in the world. It’s used by banks, online shops, digital distribution services and even voice-over-IP (VoIP) systems to protect credit card details, passwords and other personal data.”

The potential damage is huge, according to the Electronic Frontier Foundation, a non-profit group that has been defending free speech, privacy, innovation, and consumer rights in the digital world since 1990, before most people had heard the word digital. “The consequences of these vulnerabilities are extremely serious. In all cases, a weak key would allow an eavesdropper on the network to learn confidential information, such as passwords or the content of messages, exchanged with a vulnerable server. Secondly, unless servers were configured to use perfect forward secrecy, sophisticated attackers could extract passwords and data from stored copies of previous encrypted sessions. Thirdly, attackers could use man-in-the-middle or server impersonation attacks to inject malicious data into encrypted sessions. Given the seriousness of these problems, EFF will be working around the clock with the EPFL group to warn the operators of servers that are affected by this vulnerability, and encourage them to switch to new keys as soon as possible.”

The EPFL authors, in their report, took the precaution of pointing out the difficulty of contacting the owners of all affected pages, noting that some page owners need to take precautions.

“Publication of results undermining the security of live keys is uncommon and inappropriate, unless all aff ected parties have been notifi ed. In the present case, observing the above phenomena on lab-generated test data would not be convincing and would not work either: tens of millions of thus generated RSA moduli turned out to behave as expected based on the above assumption. Therefore limited to live data, our intention was to confi rm the assumption, expecting at worst a very small number of counterexamples and affected owners to be noti fied. The quagmire of vulnerabilities that we waded into makes it infeasible to properly inform everyone involved, though we made a best eff ort to inform the larger parties and contacted all email addresses recommended (such as
ssl-survey@eff.org5) or speci fied in valid aff ected certi cates. The fact that most certi ficates do not contain adequate contact information limited our options. Our decision to make our findings public, despite our inability to directly notify everyone involved, was a judgment call.”