Experts at the 25C3 Security Congress Berlin have found a weakness in internet digital certificates that allows attackers to forge certificates that are fully trusted by all commonly used web browsers.

The researchers from universities in Switzerland and the Netherlands warned that these weaknesses make it possible to impersonate secure websites and email servers and to perform virtually undetectable phishing attacks.

Code breakers

When you visit secure websites with URL starting 'https', a small padlock symbol indicates that the website is secured using a digital certificate issued by one of a few trusted Certification Authorities (CAs).

To ensure that the digital certificate is legitimate, the browser verifies its signature using standard cryptographic algorithms. The team of researchers has discovered that one of these algorithms, known as MD5, can be misused.

Some weaknesses in MD5 were first highlighted in 2004, but the new security holes allow hackers to create their own rogue Certification Authority.

Forging ahead

This opens the door to users being redirected to malicious sites that appear exactly the same as banking or e-commerce websites they believe to be visiting. The web browser can receive a forged certificate that will be erroneously trusted, and users' passwords and other private data can fall in the wrong hands.

"The major browsers and Internet players – such as Mozilla and Microsoft – have been contacted to inform them of our discovery and some have already taken action to better protect their users," said Arjen Lenstra, head of the EPFL Laboratory for Cryptologic Algorithms in Switzerland.

The researchers did not reveal all the details of how they broke the MD5 algorithm, but did say that they used an advanced 'collison attack' and - bizarrely - a cluster of "more than 200 commercially available game consoles".