On an Edinburgh Bus: A root certificate, a weak key, and SHA-1

On an Edinburgh Bus: A root certificate, a weak key, and SHA-1!

I love my trip on the bus into work in the morning, and Lothian Busses provide such as great service. I have always loved traveling on busses in Edinburgh.

And so my laptop typically tries to connect to the bus wifi. But, basically, it is setup to intercept HTTP traffic and then feed adverts to me. HTTP injection exposes users to many risks, especially against their privacy. Also, it tries to intercept HTTPs by providing me with a root certificate, and them tries to break the tunnel. Why do we allow this? Surely users are being tricked, and that whoever connects to the network could spy on people using the wifi. Do not — ever — install a root certificate, unless your really trust it!

So, the first problem is that the wifi connection tries to install a root certificate on my computer (quite shocking actually!), and one which will be trusted until the year of 2034 (yes, that is 15 years away, so it might stick around for a while). This means that if anyone hacks this certificate (and , as we will see, it might not be too difficult) — and finds the associated private key — then they could create hacked applications which are properly signed:

But things get worst. The certificate itself has a weak 1,024 bit RSA key, and — quite shockingly, signed with a SHA-1 signature:

We see, though, that the Icomera Web site manages to get a 2K RSA key for its and an RSA signed SHA-256 signature, and doesn’t use a root certificate (as it would get blocked):

Certificates used on the Web

A quick scan of the Internet shows that the industry has finally migrated away from SHA-1 as the method of signing digital certificates — as Google showed that it was practically possible to fake a SHA-1 signature. The survey shows that no site had a SHA-1 signature, and that the vast majority (99.8%) were using SHA-256, which would take a billions and billions of years to change a certificate and end up with the same hash signature.

With RSA we have a public key and a private key. We release the public key as an e value (normally 65,637)and an N (the modulus) value. The N value gives RSA its strength and where it is made up of two prime numbers (p and q). An intruder can thus search for the factors of N, and if they find them they will be able to discover the private key (d,N). The larger the size of the prime numbers, the more costly it will be to crack the factors.

It is well known that an RSA key which are less than or equal to 1,204 bit keys are weak against attack, and a well known attack on Adobe updates breaks Adobe’s signing, and uses a cracked 512-bit RSA private key. This then matches to a valid 512-bit public key for Adobe. The good news is that every site surveyed supported at least 2,048 bits, and there are none which have weak keys on their digital certificate.

There is thus virtually no Web site on the Internet with 1K RSA keys, and virtually none with SHA-1 signed certificates. So why do we get these on a bus? Surely you are more at risk on a bus for snooping than at home, and that the standards for cryptography should be high.

Conclusions

What other industry would have such poor security standards, and allow citizens to be exposed to such risks? Perhaps it’s about time that security professionals were a bit more vocal in improving standards, and in informing the general public on the risks they face.