A team of security researchers have revealed a major vulnerability in the Internet infrastructure that hackers could use to launch undetectable attacks and intercept secured online communications when users visit bank and e-commerce Web sites.

The team of research experts from the Netherlands, Switzerland and the United States managed to mimic the digital identity and authority assigned to RapidSSL, one of the companies that act as "certificate authorities" (CAs). These companies issue digital security credentials in order to uniquely identity Web sites.

The experts found out that RapidSSL along with a few other CA companies are still signing their digital certificates using the weak cryptographic method called MD5. The team of researchers thought they could exploit that weakness and they were right.

The researchers used a homegrown, massive array of number-crunching machines and managed to produce a virtual clone of the digital signature RapidSSL used to sign SSL certificates. The researchers used a farm of about 200 Play Station 3 gaming consoles. 

A hacker possessing those credentials who had seized control of a large network could intercept requests of users trying to visit an e-commerce or banking Web site. By intercepting the users, the hacker could redirect them to a counterfeit version of the site designed to steal the user's credentials. The conclusion: "Signing certs with MD5 in 2008 is negligent," said Jacob Appelbaum, researcher with the Tor Project.

Applebaum said a good hacker with experience in this area could duplicate the work done by the research team in about a month.