SSL Certificate Forgery Attacks

Check Point customers using Check Point SmartDefense Services, for both IPS-1 and SmartDefense in VPN-1 NGX R62/R65 and VSX NGX R65, can update their systems and activate a protection that will detect and block SSL connections to Web sites whose certificate may have been forged using this recently discovered attack. Customers are preemptively protected against DNS poisoning attacks if the relevant DNS protections were activated. Check Point’s consumer browser security solution, ZoneAlarm ForceField, was also updated with new functionality to protect consumers against the threat.

Although difficult to exploit, the vulnerability could be used to impersonate any secure Web site on the Internet including banking and e-commerce sites. Mixing this vulnerability with DNS poisoning, hackers could easily launch nearly undetectable pharming attacks and silently misguide unsuspecting users to rogue Internet sites.

First revealed on Dec. 30, 2008, the attack leverages a weakness in the MD5 algorithm, which is used to sign SSL certificates that tie authentic corporate identities to corresponding Web site addresses and public encryption keys. Researchers were able to devise a way to manipulate an official Certificate Authority (CA) and launch an attack that would forge a rogue CA that then becomes trusted by all common browsers.

More information about the attack, SmartDefense and IPS-1 protections can be found at Check Point's Security Research and Response Web.