clock menu more-arrow no yes

Filed under:

EFF says that thousands of SSL certificates 'offer effectively no security'

New, 5 comments

The EFF's SSL Observatory has discovered that one in 500 SSL Certificates in use today are insecure owing to mathematical vulnerabilities.

Padlock Macbook
Padlock Macbook

The Electronic Frontier Foundation's SSL Observatory has found that thousands of SSL certificates used to authenticate HTTPS sites are effectively useless, owing to weak algorithms used to generate the random numbers that are needed for encryption. By analyzing each certificate, the researchers found that one in 500 certificates are currently insecure, meaning that tens of thousands of sites across the web are vulnerable to eavesdroppers. To find this, the Observatory downloaded every available SSL certificate on the IPv4 internet, before analyzing the cryptographic methods behind it.

Similar research has uncovered mathematical flaws in the past, but the application of a new algorithm has found that many certificates share the same prime factors, which makes them far easier to decrypt. The consequences of these weak certificates are serious — according to the EFF, "In all cases, a weak key would allow an eavesdropper on the network to learn confidential information, such as passwords or the content of messages, exchanged with a vulnerable server." The Observatory says that it has already alerted website operators, certificate authorities, and browser vendors, but that until the random number generation bugs are squashed, this vulnerability will remain.