Slashdot Mirror
Null Character Hack Allows SSL Spoofing
eldavojohn writes "Two researchers, Dan Kaminsky and Moxie Marlinspike, came up with exact same way to fake being a popular website with authentication from a certificate authority. Wired has the details: 'When an attacker who owns his own domain — badguy.com — requests a certificate from the CA, the CA, using contact information from Whois records, sends him an email asking to confirm his ownership of the site. But an attacker can also request a certificate for a subdomain of his site, such as Paypal.com\0.badguy.com, using the null character \0 in the URL. The CA will issue the certificate for a domain like PayPal.com\0.badguy.com because the hacker legitimately owns the root domain badguy.com. Then, due to a flaw found in the way SSL is implemented in many browsers, Firefox and others theoretically can be fooled into reading his certificate as if it were one that came from the authentic PayPal site. Basically when these vulnerable browsers check the domain name contained in the attacker's certificate, they stop reading any characters that follow the "\0 in the name.'"
\0\0ps.
Give me Classic Slashdot or give me death!
Would a CA really grant a certificate for paypal\0.badguy.com ?
If not, the CA should not have issued the cert in the first place. Which CA was it?
Go green: turn off your refrigerator.
*sigh* Why is anyone still using null-terminated strings? It's almost a shame that Pascal didn't become dominant...many of these bugs would simply not occur.
TODO: Something witty here...
Go do something else for a while. If it were not for you we all would be safer !!
All we have to do is get the CAs to pay attention to the certs they issue, correct?
Uh-oh. We're screwed.
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
It's a shame that the Microsoft BSTR didn't become the dominant form of string, then these problems wouldn't be occurring.
Who's the fscking idiot who thought having \0 indicate end-of-string was a good idea??!!?
I cannot remember something that gave more _grief_ and _problems_ than that.
how long until
If you ask me, networks of trust such as PGP are far more difficult to compromise than a central authority. Anything centralized is going to have only a handful of people, who are easy to find, and being private citizens, easily compromised. On the other hand, an integrated cryptographic interface where anyone can vouch for the authenticity of a site, ie; a reputation-based evaluation schema, would be (relatively speaking) more secure.
I have a reputation amongst my friends and family of being "tech savvy". They trust my advice on technology. If that advice could be included in a database an integrated directly into the browser, then others they know that are also "tech savvy" (and trust) could inform their browsing actions much more than a single profit-orientated organization. I could, for example, add "l0pht industries" to my list of trustees, or "Bruce Schneider"... Or even "Rob Malda", and those people would become part of the trust network that my friends would then rely on. This is where the technology should go -- but because it conflicts with monied interests and in a capitalist society it is only the dollar value of a thing that makes our institutions protect it, it probably never will.
Trust is really the central issue, not cryptography. Cryptography enables us to extend our trust relationships into the digital world.
#fuckbeta #iamslashdot #dicemustdie
That was "Pascal greater than C" using the greater than sign, but apparently slashdot can't escape that properly....
More significantly, an attacker can also register a wildcard domain, such as *\0.badguy.com, which would then give him a certificate that would allow him to masquerade as any site on the internet and intercept communication.
That doesn't sound that bad, does it?
This guy's the limit!
This isn't really a browser issue.
The browser is going "Show me that this cert is valid for paypal.com" and the CA is going "Here it is, for paypay.com" , at least as far as the browser is concerned.
This is no more a flaw then if the CA just started letting anyone buy certs for paypal.com.
Having multiple CAs (and cheap CAs) is a good thing, but we're only ever secure with ssl as the least secure CA.
I put on my robe and wizard hat..
A debate older than time_t ?
Someone would just get a certificate that managed to put the ".badguy.com" part starting at byte 255 of some string.
Null is not a legal character in a domain name, even if you're using UTF strings. It shouldn't be allowed in a certificate.
What modern language would have been open to this attack vector. Browsers are important. They should not be written in c/c++, whatever the performance gains. Lets just not do it anymore.
Agreed, it is a shame, the null terminated came in C very late in game when byte counting wasn't too expensive any more. I really don't get the replies of only 256 byte (octet?) max length? Pascal (PL/I, Algol, etc) strings can have up to unlimited length depending on language, computer, etc implementation. Any modern(?), intelligent language should be able to handle a continuous string of bytes (mostly octets but even NLS and other "strings") without any terminator or special API, it's so lame! And it is dangerous - my hair is gray fixing programs where the null was overwritten for some reason or where the scanning, input, whatever was depend on some such terminator instead of hardware termination based on length, signal, memory boundary, memory protection, etc.
Back to the topic, CAs are in business for money, not to make things more secure or so. That's mostly the problem in computing today, you think that security certificates, PCI, even most of other regulations, etc are there to enhance security and I have a bridge to sell. They are there to make money, sell a product, shift the blame, whatever but definitely not for security which is much, much more than just some technology.
The summary really explained what it's all about, rather than sound like a newspaper who want's you to read more. This is great! Too few summaries are like this. Editors, you should make sure every story get such a good presentation on Slashdot.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
http://r00tsecurity.org/files/zf05.txt search for Dan Kaminsky ......
I may be wrong but you're downright ugly!
Perhaps one should use a ';' to end strings instead.
Seriously, I would say the problem is not C strings, but the CA *not* using C strings instead. If they properly recognized the null character as a string terminator, they wouldn't issue a certificate for paypal.com to badguy.com.
I don't get it.
Isn't this just the same company?
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Web of trust is easy to spoof, provided a certain level of autonomy in the system. All a hacker would have to do is spoof Millions (billions, trillions) of trust relationships making it look like something is highly trusted by lots of people. Suddenly that badbuy.com website looks highly trusted to someone who has never seen it before.
And what happens when geeks gets a hold of the technology and slashdots the web of trust for Microsoft.com as -1 EvilCorp?
Let us assume for a second that both the cases above actually occur in a web of trust, how would we correct it? Manual Override? Do you really trust your users to manually override this web of trust?
So now badguy.com is properly untrusted, but now your user can manually override that trust level. Now what?
Sorry, I don't want a web of trust, because it is too hard to correct a false positive, or false negative. It would need manual override of the trust relationships to fix broken trusts results and other, who knows what, problems.
See my sig, it kind of explains things.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Yes, the CAs should have clear standards on what they can and cannot issue a certificate for.
However, browser makers need to assume some CAs will issue non-compliant certificates.
They should also assume some compliant certificates will be confusing to end users, whether it is because of a look-alike character, such as 1/l/!, 0/O, or many such UNICODE pairings. This applies not just to certificates but also second-level domains where an authoritative server run by badguy.com might return an address for a domain that uses characters that are supposedly illegal.
In any case, web browsers need to flag these things and make it obvious the address or certificate isn't what it appears to be.
Finally, end-user need to be educated that login.paypal.com is not the same as login.paypal.com\0.badsite.com or !ogin.paypa!.com or 1ogin.paypa1.com.
Somehow I think the latter may be a lost cause with some people.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Yes, they are in it to make money, but would they be as careless if they could be sued for any losses due to their negligence? (I am also including MS for all its security flaws.)
The CA issued a malformed Cert. The browser (firefox) did not catch the malformation. Who is to blame? Both I would think.
College-Pages.com - Online Colleges, Degrees, and Programs
There are lots of terrible old technologies that are still in use precisely and only because they're in common use. Yes, XML (yes you probably knew I was going to say this when you read the subject line, let's get it over with quickly and move on) may be the worst possible cross between human readable (it isn't, at least not for large files) and machine readable (complex and bug inviting, as many security advisories have shown), but whole forests of tools have been written around it, most of which simply won't accept anything else. Yes, HTML may be a bastard of XML and SGML with corprus, complete with style sheets and scripting using yet another completely different syntax, but browsers want it so if you want people to read your site, you have to use it. Yes, Windows' user interface pseudo object oriented system may not be elegant, and even Microsoft would like to change over, but lots of software is written for it so we keep going down this road, piling up organic extensions. It's like we're all locked in a deadly embrace, a grim fandango of mutual dependency.
I'm l\0\0king forward to using the new slashd\0t \0wnzrd meme. (I've never witnessed the birth of a meme before, wow!).
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
Tim Callan, vice president of product marketing at VeriSign, responds (in more detail) to these Black Hat presentations in his new SSL blogpost: https://blogs.verisign.com/ssl-blog/2009/07/busy_day_at_black_hat.php He fills some of the holes that Marlinspike and Kaminsky dug.
Firefox 3.5 is _not_ vulnerable to this attack.
Yes. The browser is a fault for treating an ASN.1 string as a null terminated string.
The CA is at fault for issuing a certificate for a domain that does not exist, and in fact is not even legal under the domain name system.
(Yes the second level domain does exist, but the company would not sell me a cert for some non-existant second level domain merely because the .com TLD exists.)
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
...mostly.
Verisign (& presumably the rest of their group - Thawte, Geotrust) and Comodo didn't issue it - their systems never allowed null characters in subjects.
Some evidence so far (as this isn't the first time it's come up, just the first to be published like this and as with so much at Blackhat, sensationalised) points to Globalsign as the issuing CA, although I'd be surprised if they hadn't fixed it by now.
I really don't get the replies of only 256 byte (octet?) max length? Pascal (PL/I, Algol, etc) strings can have up to unlimited length depending on language, computer, etc implementation.
Because Pascal strings stored the length in a single byte and that single byte could only represent an unsigned integer up to 2^8 - 1 or 255. Hence the comments about pascal strings and 255 character lengths.
of the day I found a similar exploit in IE6. During a pentest I noticed that a company had a password reset site with a url like "passwordedit.info.example.com" so I regestered "passwordedit.info" and sent e-mails to some employees saying "your password will soon expire, please go to passwordedit.info.example.com and change it". However the 'e' in "example" was a Unicode character thet looked/displayed like ASCII 'e' but was not.
The trick was that IE stopped parsing the url at the bogus 'e' and went to "passwordedit.info" (my site) while displaying "passwordedit.info.example.com" in the url bar.
My site recorded the new passwords while forwarding the change request to the real site
IE6 was fixed and no press release was made (we are discreet)
domains and URLs have been changed to protect the guilty
Seriously, what the fuck are you babbling about? A "continuous stream of bytes" is garbage without a well-defined prefix or terminator.
"I miss pascal strings, where the first byte was the length of the string. It had lots of cool advantages in situations like this over C's null terminated strings." - by OrangeTide (124937) on Thursday July 30, @02:48PM (#28885923) Homepage
IF you liked that? You MIGHT like this little tidbit of information... especially regarding STRING PROCESSING SPEED, of Delphi (Object Pascal), vs. MSVC++ &/or VB:
ODDLY? This was from a COMPETING language's trade rag, VBPJ -> In "Visual Basic Programmer's Journal", Sept./Oct. issue 1997, when I was a VB5-6 &/or MSVC++ coder primarily, in the issue entitled "INSIDE THE VB5 COMPILER"? Delphi, oddly considering this was a competing language trade rag, absolutely WHOOPED both VB5 &/or MSVC++ 5 in 7/10 tests performed (to test programmatic speed & efficiency)!
Especially in MATH and STRINGS work, blowing away VB5 in speed here, by MANY ORDERS OF MAGNITUDE no less, & beating even MSVC++, by double (which, mind you, EVERY PROGRAM DOES both strings & math work) literally 'taking me away' from, or rather, replacing my former favs in MSVC++ & VB, as my "weapon of choice" for building programs...
(Some "Food 4 Thought"...)
APK
P.S.=> Of course, I expect the C/C++ & other competing language fiends to come in & try to disprove this, & that's ok (I program in the others as well & "right tool for the right job" etc. et al), but, I am looking back @ that article now (have the issue in front of me in fact) & just remembering how it influenced me to try Delphi (which I love versions 2.0 - 7.1, before it went .NET) - I thought YOU might find this interesting OrangeTide, & why I put it up for you to read here! apk
Note that certs can and are used for things other than SSL on DNS names. In fact, the field used for the domain name is "Common Name". The CN field is used for a dozen things depending on what the cert is used for.
We should probably blame Netscape and everyone else who pushed using X.509 unchanged instead of trivially adding a field that required a valid DNS name.
This is a mismatch between the X.509 standard and how browsers use it. Most interesting is that the browsers have the information to correctly parse it, whereas the CAs don't have the information to do so, unless they are only issuing certs for SSL. As someone who would like to see widely usable PKI outside of the web-browser, I'd really rather fix the browsers than break the certs.
I think Mauve has the most RAM. --PHB (Dilbert Comic)
It is good that Verisign have taken steps in their own baliwick to deal with illegal characters in their certificates, but their practices, including EV Certificates, won't stop other CA's from spoofing anyone's certificate, including Verisign. No holes are filled. This is a system-wide problem that must be fixed at the browser level.
I am not a robot. I am a unicorn.
IE6 was fixed and no press release was made (we are discreet) domains and URLs have been changed to protect the guilty
Exactly how does hiding the domains and URLs protect the guilty? We all know who makes IE6. And how can you call yourself discreet while posting the story on Slashdot and naming the guilty party?
Yes, theoretically it is correct as Pascal strings are defined / described. This is an ages old argument but many languages (many "Pascals") have "strings" which have a descriptor or length not limited to 256, the programmer just doesn't have to take care of it. And they have no separate API or whatever for different "strings", mostly they are actually just handled by compiler. The pain of delimiters is bad, have to have another class or whatever to handle strings as continuous memory (the implementation may be whatever as in Haskel, etc.) And especially with Unicode or for example protocol stream it means scanning everything, every time instead of letting hardware to do it's work - great for one (maybe) but when talking thousand and thousands at the same time it eats cpu cycles which, especially in interface controllers, are already used too much.
There are special hardware solutions but they are not very common, computers still (mostly) work on bit level (there are exceptions). The delimiters are bad even other way, what is a delimiter for one class of data is / may not be a delimiter but data in another class of information so transformations can get sometimes tricky if data can not be trusted - most common have been overflows of zero limited strings and/or terminators in protocol strings. Or zero and here and maybe the the non-breaking space in HTML or whatever.
Actually I like C (and assembler) because of the power over code, but it definitely needs more code and more caution to use strings in those languages than in Pascal, PL/I, ADA, and other languages where strings are transparent (not Pascal strings as defined). Many interpreted languages can handle strings without terminator so.. All high level languages should (IMHO) have a class of string which is transparent in compiler, not some ever changing API, proven going from one octet to multiple for Unicode, etc - old (new?) style just doesn't seem to work too well - causes problems as this.
Scan your databases for FQDs for issued certs with the null string. Then revoke them.
Then go after the people who requested them and ask for an explanation.
Wearing pants should always be optional.
Saying that the solution to this is a better string type is like enforcing no-trucking routes by putting hairpin turns everywhere. Programmers shouldn't let any old crap into their system, that is how you get hacked. Period.
But as long as we're arguing over who's programming language is better: we should all program in ZT
http://www.philipp-winterberg.de/software/zte.htm
Would this mean that there's a similar site out there called Slashnaught.org?
Or would that be Slashdot's good twin?
If you can read this, I forgot to post anonymously.
Then go use Delphi instead of spewing drivel with randomly capitalized words.
Delphi is Pascal, and the poster said he liked the way pascal handled strings (something about many advantages) over the way C does them. Why the fuck are you going on some sort of crazy rant over it when he essentially agreed with you (without using CRAZY TINFOIL HAT CAPS)
Moxie's presentation was very enlightening. Out of all the presentations I saw over the last two days, his was easily the most interesting.
First, he went over his last presentation- that due to CA sloppiness, it is possible for an attacker to issue valid SSL certificates as an intermediary CA. No hack involved.
Second, the null character exploit. This was the bulk of his presentation, and he went into detail why this works, and why Firefox pre-3.5 plus a bunch of other SSL stacks are vulnerable. Dont want to get a cert for every site you want to spoof? Get a wildcard \0 cert.
Third, it is possible to defeat OCSP with the number 3.
Fourth, he demonstrated how, due to these bugs in SSL and OCSP, it is possible to deploy your own "software updates" whenever Firefox or other program attempts to auto-update.
I hope he puts his presentation up sometime soon.
[q]using contact information from Whois records, sends him an email asking to confirm his ownership of the site.[/q]
I've requested several SSL certificates over the years. Never ever have I received such an email to confirm ownership, nor was I pre-confirmed as the domains were registered elsewhere. Okay, so the CA was not netsol or thawte. But it sure was a CA that was acknowledged by both MSIE6/MSIE7/MSIE8/FF2/FF3
I don't see a reason why my CA wouldn't simply hand me a valid cert for paypal.com, no technical stuff, anyone can do this. Okay, my cert would probably be revoked as soon as someone finds out, but by then the damage could be millions...
.sig: No such file or directory
"and the poster said he liked the way pascal handled strings (something about many advantages) over the way C does them" - by Anonymous Coward on Thursday July 30, @11:09PM (#28891981)
Do you know WHY it is nicer and what advantage is yielded by knowing the length of a string beforehand (which is what the poster noted, NOT how it helps speed though)?
I severely doubt you do, so I will tell you 1 gain:
In knowing the size of a string, you avoid having to send 2 pointers thru a string, one always being DOUBLE the size of the other (& when the doublesized larger one can no longer advance, you are @ the midpoint of a string on the smaller one, which that midpoint in turn, can be doubled to get the length of an unknown length string)
So - that added "pointer send" processing is avoided TOTALLY w/ pascal strings though & a gain results right there via avoiding having to do that kind of processing (which you WOULD have to do on a null terminated C string)
Also - this knowledge, the midpoint of a string, or its length, does yield the ability to find other things faster... (like for searches, specifically BINARY SEARCHES, it helps to know the midpoint of a string (& for speed of said searches)).
----
"Then go use Delphi instead of spewing drivel with randomly capitalized words." - by Anonymous Coward on Thursday July 30, @11:09PM (#28891981)
Will do. I will, because it is faster than most other compilers in most things!
I'll use it, alongside VB.NET & C# (Visual Studio 2005), VB 3-6, MSVC++, Leahy Fortran 77, Microsoft Macro Assembler, Ryan McFarland COBOL, & others on the PC (I program in 8-10 languages for the PC, & more for midrange & mainframe computers... I use whatever language is best suited for the tasks @ hand is all, & they do each have their merits/strengths over others @ times, depending on what is needed to be done).
Somehow, though, just based on the stupidity in your replies (including your "Fuck off Troll" reply)?
I doubt you code in even 1 language, or realize what I just wrote now... lol!
----
"instead of spewing drivel with randomly capitalized words." - by Anonymous Coward on Thursday July 30, @11:09PM (#28891981)
If my post is such drivel and so poorly written, then how could you understand it?
----
"Delphi is Pascal" - by Anonymous Coward on Thursday July 30, @11:09PM (#28891981)
Yes, it is... you MUST be a "genius" (that, or you read it back & spit it out, which is about ALL you know of the art of programming I wager).
----
"Why the fuck are you going on some sort of crazy rant over it when he essentially agreed with you (without using CRAZY TINFOIL HAT CAPS)" - by Anonymous Coward on Thursday July 30, @11:09PM (#28891981)
The poster I replied to in OrangeTide never mentioned speed gains - I do, first of all... learn to read & COMPREHEND what you read!
And, there is nothing crazy in informing OrangeTide about what I wrote, as he may not have been aware that Delphi DOUBLES MSVC++ in string processing speeds and completely blows away VB by many orders of magnitude in the same (string work).
Anyhow/anyways - Thus endeth the lesson for today... (even to a rude unintelligent & obviously uneducated goof, like you)
APK
P.S.=> You can stop following me around as you have all this month & modding me down or wising off to my replies... you look foolish doing so - &, it appears you have run out of mod points, finally, because you are unable to "mod down" my post here (as you have been doing all month to many of my posts here)... awwww, poor little AC troll ran out of his other registered sock puppet accounts mod points & now he is furiously raging spewing his anger on the page in his weak replies, lol! apk
"Fuck off Troll." - by Anonymous Coward on Thursday July 30, @11:01PM (#28891931)
See my subject-line above, & this url -> http://it.slashdot.org/comments.pl?sid=1320775&cid=28895275 , which is in regards to your other stupid reply here, as well...
(You are off topic, & a trash mouthed troll, period, or doesn't my quote of you above illustrate that much? My other post, in the URL I just posted above, will function to show how stupid & undereducated you are in this art & science of computing, also...)
APK
P.S.=> It also appears that your other 'sock puppet' registered accounts with which you have been "modding me down with", are ALL OUT OF MOD POINTS, eh? Now, all you have, is your profanity & stupidity to attack me with, which is JUST HOW I LIKE IT, lol... because it is SO SIMPLE to "tear you apart" with those, it is not even funny anyhow... better luck next time, troll! apk
only in the U.S. and a handful of other countries.
Most other places, it's how you get rich.
have fun trying to register a real domain name with a : / or " in it. It simply cannot be done.
there is a protocol layer and there are limitations placed by ICANN on your TLD.
"Two researchers, Dan Kaminsky and Moxie Marlinspike, came up with exact same way to fake being a popular website with authentication from a certificate authority."
Here's what happened : Moxie Marlinspike found this and sent his boss a message through his website, but the problem was, Mr. Kaminsky had tried his DNS poisoning on that website and all the traffic went through Kaminsky. Kaminsky afterward declared that he had found a way to do it :)
:)
Of-course I'm j/k but Dan is a genius and can do it
Read and Comment at my BLOG
!!!
Agreed, it is a shame, the null terminated came in C very late in game
C doesn't implement strings. All implementations of C that I know of implement libraries that make it possible to use strings in C.
But there's nothing to stop you from linking to your own library.
Yup. Having to resort to try to impersonate me. Figures. Not very original trolling either, as "it's been done" already here before. And the use of profanity (along with your twisted ideas, lol) is "not my style" either.
APK
P.S.=> Not even a "nice try" on my std. "trollometer" here - try be more original next time... apk
I was hoping that this dolt would bring up the std. string functions libs that MOST C/C++ compilers have, one function of which, is StrLen -> http://www.cplusplus.com/reference/clibrary/cstring/strlen/
(HOWEVER, because I waited on it, & he has NOT produced that? Well, his lack of putting up that simple function is merely just proving my words, that the fool I replied to is nothing more than that -> A trolling dunce who is someplace he does NOT belong in, messing w/ his betters...)
I gave it a few days, & he has not recognized that much... & instead, he gave me more really WEIRD guff trolling me instead, here -> http://it.slashdot.org/comments.pl?sid=1320775&cid=28916873
(LOL, what a freak he is, ontop of being stupid in coding & yet he had the nerve to try sound off on it here - anyhow/anways, lmao -> Hey, you read that url above, & YOU decide for yourselves, ontop of my being patient & waiting to see IF HE KNEW ABOUT STD. STRING FUNCTIONS!)
APK
P.S.=> Yes, you CAN/COULD use the method I extolled using pointer math++ operations in C++, but as I suspected (and yes, stated? The AC troll I am replying to, does indeed, not know a thing about coding, period, else he would have brought that up instead of my more "primitive method" that's doubtless behind the strlen functions in most null terminated strings C/C++ std. libs for strings (string.h file, specifically)... apk