Digital Certificate Flaw Undermines Online Banking

By Greg McNevin

December 31, 2008: A team of international researchers have discovered a new web browser flaw that could put the services offered by e-commerce sites, banks and other financial institutions in jeopardy.

Using sophisticated techniques and a computing cluster of 200 Playstation 3s, researchers have been able to forge digital certificates used by modern web browsers to secure transactions, and have presented their evidence at this year’s Chaos Computer Club conference in Berlin.

The attack impersonates a legitimate encrypted SSL certificate to take advantage of a mathematical vulnerability in the SSL verification process.

Each SSL certificate is unique and assigned to particular companies so they have a solid, verifiable identity online. When a secure transaction is opened online, the certificate is checked by a private firm against a public encryption key. The danger here, is that if a certificate is compromised, it could be used for cyber crime without detection.

The flaw has been known since 2004, however, until now it has been purely theoretical.

As the team is withholding details of its methods, and consider the large amount of processing power required to exploit the flaw, it is unlikely that the flaw will pose any dire threat in the near future

Comment on this story