Slashdot Mirror

← Back to Stories (view on slashdot.org)

Null Character Hack Allows SSL Spoofing

Posted by timothy on from the cannot-anticipate-all-evil dept.

eldavojohn writes "Two researchers, Dan Kaminsky and Moxie Marlinspike, came up with exact same way to fake being a popular website with authentication from a certificate authority. Wired has the details: 'When an attacker who owns his own domain — badguy.com — requests a certificate from the CA, the CA, using contact information from Whois records, sends him an email asking to confirm his ownership of the site. But an attacker can also request a certificate for a subdomain of his site, such as Paypal.com\0.badguy.com, using the null character \0 in the URL. The CA will issue the certificate for a domain like PayPal.com\0.badguy.com because the hacker legitimately owns the root domain badguy.com. Then, due to a flaw found in the way SSL is implemented in many browsers, Firefox and others theoretically can be fooled into reading his certificate as if it were one that came from the authentic PayPal site. Basically when these vulnerable browsers check the domain name contained in the attacker's certificate, they stop reading any characters that follow the "\0 in the name.'"

13 of 280 comments (clear)

  1. \0wned by Hatta · · Score: 4, Funny

    \0\0ps.

    --
    Give me Classic Slashdot or give me death!
    1. Re:\0wned by Lord+Fury · · Score: 5, Funny

      I don't get it, you didn't post anything.

    2. Re:\0wned by LucidBeast · · Score: 5, Funny

      I just came to say Moxie Marlinspike is just about the coolest name I've ever seen...

    3. Re:\0wned by Anonymous Coward · · Score: 1, Funny

      Better than Moxie CrimeFighter (daughter of Penn Jillette)?

      Or, given the subject, Robert'); DROP TABLE Students; -- (aka Little Bobby Tables)...

  2. Re:Is the null character valid in a domain name? by Statecraftsman · · Score: 2, Funny

    badguy.com of course! (goes to check his list of root CAs)

  3. Dan Kaminski, would you STOP ALREADY !! by Anonymous Coward · · Score: 5, Funny

    Go do something else for a while. If it were not for you we all would be safer !!

  4. So now... by mhkohne · · Score: 5, Funny

    All we have to do is get the CAs to pay attention to the certs they issue, correct?

    Uh-oh. We're screwed.

    --
    A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
  5. MS BSTR and null terminated strings by Anonymous Coward · · Score: 1, Funny

    It's a shame that the Microsoft BSTR didn't become the dominant form of string, then these problems wouldn't be occurring.

  6. Re:When C Strings Attack! by Desler · · Score: 3, Funny

    I agree. 255 characters ought to be enough for anyone!

  7. Re:When C Strings Attack! by Anonymous+Cowar · · Score: 4, Funny

    Two strings walk into a bar.

    The first string says to the bartender, "Give me a beer." The bartender turns to the second string and says, "and what about for you?" To which the second string replies, "I would also like a beer#@a9101gb230b81;kajf3#$B89*#()*13!$%#@$"" and goes on and on spewing gibberish.

    The bartender, shocked, asks the first string, "What is your buddy's problem?"

    The first string answers, "Oh, you'll have to excuse him, he isn't null terminated."

  8. Paypal.com versus Badguy.com by commodore64_love · · Score: 4, Funny

    I don't get it.

    Isn't this just the same company?

    --
    "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
  9. Re:And we trust CAs *why* again? by Simetrical · · Score: 2, Funny

    Really? It seems to me that with a centralized system, you have one entity controlling trust. If you want to subvert that, you have to convince that entity that you are trust worthy. If you have a decentralized system, you could have 1000 entities controlling trust. That's 9999 more chances you have to trick someone.

    Well, one thing I certainly can't trust is Slashdot users' ability to do arithmetic.

    --
    MediaWiki developer, Total War Center sysadmin
  10. Hmmm... by Kingrames · · Score: 2, Funny

    Would this mean that there's a similar site out there called Slashnaught.org?

    Or would that be Slashdot's good twin?

    --
    If you can read this, I forgot to post anonymously.