Researchers Successfully Spoof SSL Digital Certificates With a Fleet of PS3s

Posted 12/31/2008 at 4:11pm | by Andy Salisbury

3

Comments

Print

It looks like MITM attacks aren’t the only things ripping off SSL certificates these days, it looks like Sony’s PS3 is capable of the act as well!

In a recent study conducted with more than 200 PlayStation 3 consoles, researchers were able to create a secure sockets layer certificate for absolutely any web page. The forged certificates were made through a proof-of-concept attack. This particular attack runs by generating millions of possible certificates, and once a pair that contains a special collision in the MD5 hash is found, a legitimate website certificate is requested from one of the authorities that relies on only MD5 to generate signatures. These certificates have been accepted by every major browser.

“This break is major,” stated Karsten Nohl, cryptography expert and researcher at the University of Virginia. “It definitely is the most wide-scale attack, because anything short of patching all browsers in the world to not accept the certificates, there's nothing you can do to prevent it.”

Still, there’s no stated fix for the issue today. Let’s just hope that since the researchers possess the information on how the attack is conducted, they’ll be able to make one soon.

Image Credit: Sony, Ray-Ban Sunglasses (again)