The makers of the two most popular Web browsers, Microsoft and Mozilla, have acknowledged a potential security threat demonstrated by a group of researchers in Berlin today that could undermine the trust users place in secure shopping and banking Web connections protected by Secure Socket Layer, or SSL, connections.

Array Of 200 Sony PlayStation 3 Game Consoles Utilized

Users of Internet sites accustomed to conducting online purchases or other financial transactions with relative confidence in the small padlock image that is shown in most Web browsers when an SSL certificate verifies the authenticity of a Web site, could with the exploit shown today continue to see the padlock symbol even when they are actually at an imposter site set up by individuals or groups looking to gain banking or credit card information.

Using a powerful array of some 200 Sony PlayStation 3 gaming consoles, which each contain a relatively fast and inexpensive microprocessor, security researchers from the United States, the Netherlands and Switzerland presented a paper today that demonstrated the exploit, which took advantage of a nearly-outdated method of cryptographically signing SSL certificates known as the MD5 hash algorithm, first documented in theory several years ago.

Microsoft And Mozilla Acknowledge Web SSL Security Threat Demonstrated In Berlin

Redmond, Washington-based Microsoft issued a statement about the research. "The MD5 algorithm had previously shown a vulnerability, but a practical attack had not yet been demonstrated," Microsoft said, while noting that it was "actively monitoring the situation and has worked with affected Certificate Authorities to keep customers informed and to provide customer guidance as necessary."

San Francisco-based Mozilla said in a message posted Tuesday to its security blog that it was "working with affected certificate authorities to ensure that their issuing processes are updated to prevent this threat."

One variety of VeriSign SSL certificate, issued by its RapidSSL property, represented the majority of vulnerable certificates still using the MD5 hashing method. The security researchers said they hoped their efforts would lead to VeriSign and other issuers of SSLs abandoning the use of the method that made the exploit revealed today possible.

Related Links:

• Microsoft statement about SSL exploit research
• Mozilla statement about SSL exploit research
• Wired article
• New York Times article
• ComputerWorld article
• SSL exploit research paper
• PC World article
• CNET / News.com article
• Register article
• ZDNet article
• NewsFactor / Yahoo article
• WebmasterWorld's Webmaster General discussion forum