Breaking RSA: compromising SSL protected sites is surprisingly easy

Retro

Founder
Staff Member
Joined
4 Jun 2021
Messages
4,639 (4.50/day)
Those ubiquitus SSL certs protecting this site, major shopping and banking sites really aren't as secure as you think. Not exactly insecure either, but a determined attacker with the right algorithms and programming knowledge will be able to break the cert allowing them to create a fake site that impersonates the legitimate one to scam people.

SSL site.jpg

This is especially true where the prime factors of the secret key are too close together numerically. Having prime factors that are twin primes (two apart) is the worst of all, but anything close is a bad idea so finding the right prime factors to maximise security isn't trivial. Maybe this is why DigiCert SSL certs cost hundreds whereas your regular cert is only a few dollars? Certainly, I can't see how the free automated Let's Encrypt certs are all that secure, relatively, as does the algorithm to generate them do much optimisation of the encryption keys? It's so quick, that I doubt it does much at all.

So, the thing I've been wondering is, even before finding this video, for a fixed number space, even if it's a massive 2048 bits long, there can't be that many primes in it and the "good" combinations of prime factors even less, to the tune of several orders of magnitude, so doesn't that compromise security right there? Making the key lengths ever longer helps to combat this, but isn't a silver bullet, because computers keep getting ever faster and quickly, too.

But don't panic, always check that the domain is the one that you expect to see - modern web browsers are good at highlighting it - and that the padlock symbol is there too and you'll be alright. Bookmarking sites is a great way to ensure that the correct site is accessed.

Nerd factor: cerebral as the video is quite mathsy, kinda like a Numberphile video.

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
 

Retro

Founder
Staff Member
Joined
4 Jun 2021
Messages
4,639 (4.50/day)
@Geffers, I think you'll find this quite interesting. It now makes sense why highly secure sites such as banks would choose expensive DigiCert over Let's Encrypt or another "ordinary" SSL cert.
 

Tiffany

Web Diva
Staff Member
Joined
13 Apr 2022
Messages
2,060 (2.88/day)
SSL's are imperative for any website. I'll watch this video and look forward to dive into the nerdzone for a better understanding of SSL's and how the function.
 

Retro

Founder
Staff Member
Joined
4 Jun 2021
Messages
4,639 (4.50/day)
Yeah, you'll like it, it was an eye opener for me regarding those prime factors. Not all certs are the same.
 

Tiffany

Web Diva
Staff Member
Joined
13 Apr 2022
Messages
2,060 (2.88/day)
In addition to SSL's, this week, I've learned the importance of how to create safe site email addresses and SMTP protocol security. Apparently, "admin's are guilty of creating email names that are easy to hack into (me :eek:). Now, I'm moving away from the old way of creating site emails to creating safer email alternatives with better security in mind.
 
Back
Top Bottom