Null Character Hack Allows SSL Spoofing

← Back to Stories (view on slashdot.org)

Null Character Hack Allows SSL Spoofing

Posted by timothy on Thursday July 30, 2009 @06:43AM from the cannot-anticipate-all-evil dept.

eldavojohn writes "Two researchers, Dan Kaminsky and Moxie Marlinspike, came up with exact same way to fake being a popular website with authentication from a certificate authority. Wired has the details: 'When an attacker who owns his own domain — badguy.com — requests a certificate from the CA, the CA, using contact information from Whois records, sends him an email asking to confirm his ownership of the site. But an attacker can also request a certificate for a subdomain of his site, such as Paypal.com\0.badguy.com, using the null character \0 in the URL. The CA will issue the certificate for a domain like PayPal.com\0.badguy.com because the hacker legitimately owns the root domain badguy.com. Then, due to a flaw found in the way SSL is implemented in many browsers, Firefox and others theoretically can be fooled into reading his certificate as if it were one that came from the authentic PayPal site. Basically when these vulnerable browsers check the domain name contained in the attacker's certificate, they stop reading any characters that follow the "\0 in the name.'"

46 of 280 comments (clear)

Min score:

Reason:

Sort:

\0wned by Hatta · 2009-07-30 06:44 · Score: 4, Funny

\0\0ps.

--
Give me Classic Slashdot or give me death!
1. Re:\0wned by Lord+Fury · 2009-07-30 06:47 · Score: 5, Funny
  
  I don't get it, you didn't post anything.
2. Re:\0wned by LucidBeast · 2009-07-30 06:51 · Score: 5, Funny
  
  I just came to say Moxie Marlinspike is just about the coolest name I've ever seen...
Re:Are CA's that stupid? by graphicartist82 · 2009-07-30 06:48 · Score: 4, Insightful

The lower-cost automated ones don't care. It's all handled by software; at no point in the process (on the CA side) is a human involved. And I'm betting that if the browsers aren't catching it, neither are the CAs.
Is the null character valid in a domain name? by characterZer0 · 2009-07-30 06:48 · Score: 4, Interesting

If not, the CA should not have issued the cert in the first place. Which CA was it?

--
Go green: turn off your refrigerator.
1. Re:Is the null character valid in a domain name? by Statecraftsman · 2009-07-30 06:54 · Score: 2, Funny
  
  badguy.com of course! (goes to check his list of root CAs)
Re:Are CA's that stupid? by OrangeTide · 2009-07-30 06:48 · Score: 5, Insightful

CAs should be fixed to not allow garbage in the domain. \0 isn't a legal character in DNS protocol, so why should anyone be allowed to register a domain certificate with something that is not allowed.
I miss pascal strings, where the first byte was the length of the string. It had lots of cool advantages in situations like this over C's null terminated strings.

--
“Common sense is not so common.” — Voltaire
Re:Are CA's that stupid? by Spad · 2009-07-30 06:49 · Score: 4, Insightful

Most CAs will grant you a certificate for anything if you pay them the going rate.
When C Strings Attack! by Tyler+Eaves · 2009-07-30 06:49 · Score: 3, Insightful

*sigh* Why is anyone still using null-terminated strings? It's almost a shame that Pascal didn't become dominant...many of these bugs would simply not occur.

--
TODO: Something witty here...
1. Re:When C Strings Attack! by Desler · 2009-07-30 07:02 · Score: 3, Funny
  
  I agree. 255 characters ought to be enough for anyone!
2. Re:When C Strings Attack! by Anonymous+Cowar · 2009-07-30 07:10 · Score: 4, Funny
  
  Two strings walk into a bar.
  
  The first string says to the bartender, "Give me a beer." The bartender turns to the second string and says, "and what about for you?" To which the second string replies, "I would also like a beer#@a9101gb230b81;kajf3#$B89*#()*13!$%#@$"" and goes on and on spewing gibberish.
  
  The bartender, shocked, asks the first string, "What is your buddy's problem?"
  
  The first string answers, "Oh, you'll have to excuse him, he isn't null terminated."
3. Re:When C Strings Attack! by clone53421 · 2009-07-30 07:43 · Score: 2
  
  Um, that's the actual null character, not the backslash character followed by the numeral zero. Your brain was supposed to unescape it. The string contains the actual null character; it was simply escaped for display purposes.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
4. Re:When C Strings Attack! by commodore64_love · 2009-07-30 08:05 · Score: 3, Interesting
  
  >>>"I would also like a beer#@a9101gb230b81;kajf3#$B89*#()*13!$%#@$""
  When I first read this I thought something was wrong with my modem. This is how online surfing used to appear prior to the advent of error-correction. Random noise could suddenly appear in the middle of your test. ..... Well I think I'm done for the day. Goodbye all!
  +++
  ATH
  bio#OP*qe! B89*#()*13!B89*#()*13!B89*#()*13! (click)
  CARRIER LOST
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
5. Re:When C Strings Attack! by BikeHelmet · 2009-07-30 08:53 · Score: 4, Interesting
  
  Java strings!
  32bit signed int, max length 2GB.
  That ought to be enough for anybody. ;) If you need longer, there's special buffer classes that can go longer.
  The string also chooses between ASCII and Unicode when initialized, (you can manually set char encoding, as well) so properly cleaned/trimmed ASCII strings don't waste any memory. (Except for the 3 bytes extra that go into a length int, instead of a null char - but those 3 bytes also give you an amazing speedup when you need to know the length of the string.)
  I believe C# implements Strings in a similar way.
Re:Are CA's that stupid? by Joce640k · 2009-07-30 06:51 · Score: 2, Insightful

Come over to C++ - we have it all!

--
No sig today...
Dan Kaminski, would you STOP ALREADY !! by Anonymous Coward · 2009-07-30 06:54 · Score: 5, Funny

Go do something else for a while. If it were not for you we all would be safer !!
So now... by mhkohne · 2009-07-30 06:55 · Score: 5, Funny

All we have to do is get the CAs to pay attention to the certs they issue, correct?
Uh-oh. We're screwed.

--
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
1. Re:So now... by Anonymous Coward · 2009-07-30 06:59 · Score: 5, Insightful
  
  No, all we have to do is make CA's liable for the certs the issue.
2. Re:So now... by julesh · 2009-07-30 19:49 · Score: 2, Interesting
  
  Isn't that why they charge huge amounts for the certs?
  No, I think that's called rampant profiteering. And because competition has driven the price down too low for them (oh no, they can only get away with charging ~50 euros for an automatically-generated chunk of data) they've introduced extended validation certs, where they actually do what they were supposed to be doing in the first place and charge yet more money for it...
And we trust CAs *why* again? by girlintraining · 2009-07-30 07:05 · Score: 4, Insightful

If you ask me, networks of trust such as PGP are far more difficult to compromise than a central authority. Anything centralized is going to have only a handful of people, who are easy to find, and being private citizens, easily compromised. On the other hand, an integrated cryptographic interface where anyone can vouch for the authenticity of a site, ie; a reputation-based evaluation schema, would be (relatively speaking) more secure.
I have a reputation amongst my friends and family of being "tech savvy". They trust my advice on technology. If that advice could be included in a database an integrated directly into the browser, then others they know that are also "tech savvy" (and trust) could inform their browsing actions much more than a single profit-orientated organization. I could, for example, add "l0pht industries" to my list of trustees, or "Bruce Schneider"... Or even "Rob Malda", and those people would become part of the trust network that my friends would then rely on. This is where the technology should go -- but because it conflicts with monied interests and in a capitalist society it is only the dollar value of a thing that makes our institutions protect it, it probably never will.
Trust is really the central issue, not cryptography. Cryptography enables us to extend our trust relationships into the digital world.

--
#fuckbeta #iamslashdot #dicemustdie
1. Re:And we trust CAs *why* again? by Hatta · 2009-07-30 07:25 · Score: 2, Informative
  
  If you ask me, networks of trust such as PGP are far more difficult to compromise than a central authority. Anything centralized is going to have only a handful of people, who are easy to find, and being private citizens, easily compromised. On the other hand, an integrated cryptographic interface where anyone can vouch for the authenticity of a site, ie; a reputation-based evaluation schema, would be (relatively speaking) more secure.
  Really? It seems to me that with a centralized system, you have one entity controlling trust. If you want to subvert that, you have to convince that entity that you are trust worthy. If you have a decentralized system, you could have 1000 entities controlling trust. That's 9999 more chances you have to trick someone.
  Decentralized systems are at first glance more appealing, but I don't think they are safer in this case. The problem in this case is that the CAs aren't incentivized to ensure trust. They make money based on the number of certificates they sell, not the trustworthiness of those certificates. CAs should be non-profit, or at least heavily penalized for issuing false certificates, if this is going to work.
  
  --
  Give me Classic Slashdot or give me death!
2. Re:And we trust CAs *why* again? by QuoteMstr · 2009-07-30 07:33 · Score: 2, Informative
  
  CAs should be non-profit, or at least heavily penalized for issuing false certificates, if this is going to work.
  The problem is the same with Moody's, actually: the central issue is that the people doing the auditing are being paid by the people they're auditing. Simply having browser users pay CAs (or investors pay rating agencies) would put the economic incentives in the right place, but that idea doesn't sit well with a lot of people.
  So instead, we're left with imperfect and leaky regulation. CAs really should be subject to more regular audits, and their trust bits should be removed by browser vendors when they are abused.
  By the way: I remove Comodo root certificates from any browser I use. Comodo allows its affiliates to issue certificates to anyone without verification, and therefore I do not trust Comodo.
3. Re:And we trust CAs *why* again? by Gramie2 · 2009-07-30 07:37 · Score: 3, Informative
  
  I'd rather add "Bruce Schneier" to my list of trustees, but your friend "Bruce Schneider" may be okay too.
  I'm really not trying to be a smartass. I just want people to get his name right; he deserves it.
4. Re:And we trust CAs *why* again? by Lord+Ender · 2009-07-30 07:55 · Score: 2, Insightful
  
  The modern CA hierarchy IS a web of trust. You have the control over which CAs and even which individual certificates you trust. If you go with the default trust relationships provided by your browser or OS vendor, and you aren't satisfied, you have no one to blame but yourself.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
5. Re:And we trust CAs *why* again? by dkf · 2009-07-30 08:58 · Score: 2, Insightful
  
  The modern CA hierarchy IS a web of trust.
  No, it's properly a forest (i.e., multi-rooted tree). All the trust flows one way, from the CA roots. That works better because smaller numbers of people need to know what they're doing. Normal people, even normal website admins, don't need to know the details. By contrast, a web of trust will only work between people who understand the security implications of getting it wrong and who are therefore appropriately cautious. So small groups of techies are ideal, the general public... less so.
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
6. Re:And we trust CAs *why* again? by Simetrical · 2009-07-30 09:22 · Score: 2, Funny
  
  Really? It seems to me that with a centralized system, you have one entity controlling trust. If you want to subvert that, you have to convince that entity that you are trust worthy. If you have a decentralized system, you could have 1000 entities controlling trust. That's 9999 more chances you have to trick someone.
  Well, one thing I certainly can't trust is Slashdot users' ability to do arithmetic.
  
  --
  MediaWiki developer, Total War Center sysadmin
Only as secure as the gate-keeper. by MaerD · 2009-07-30 07:11 · Score: 2, Interesting

This isn't really a browser issue.

The browser is going "Show me that this cert is valid for paypal.com" and the CA is going "Here it is, for paypay.com" , at least as far as the browser is concerned.
This is no more a flaw then if the CA just started letting anyone buy certs for paypal.com.

Having multiple CAs (and cheap CAs) is a good thing, but we're only ever secure with ssl as the least secure CA.

--
I put on my robe and wizard hat..
1. Re:Only as secure as the gate-keeper. by jpmorgan · 2009-07-30 10:14 · Score: 2, Interesting
  The browser never sends a request to the CA. The browser has a copy of the CA's public key in a local store, so it can verify the cert itself. And the cert is perfectly valid... it's just for the wrong website! How SSL certs are supposed to work:
  
  The browser checks that the certificate has been signed by a trusted CA, by comparing it against its own local repository of CA public keys.
  
  The browser verifies that the certificate has not expired or been revoked.
  
  The browser verifies that the certificate matches the website it's trying to access.
  
  In this attack, the certificate is valid, and has not expired or been revoked, because the certificate was issued by a valid CA and is compliant with all the rules.So Firefox checks 1 and 2 they pass, as they should. But what's supposed to happen is firefox checks the 3rd part, and should detect the mismatch and generate an error. But firefox implements check #3 wrong, this is the problem. Firefox is improperly treating the domain name as null terminated, when the strings are supposed to be length delimited. This is a browser bug, plain and simple.
2. Re:Only as secure as the gate-keeper. by DarkOx · 2009-07-30 11:51 · Score: 2, Informative
  
  You could argue that but I might argue that NULL in not a valid character in an FQDN. It is by extension not a valid character in the CN attribute of a certificate issued for an FQDN. I have not looked at the code but the cert parser probably decrypts the certificate looks at the length of the string copies that many bytes into some other data structure null character inclusive, as well as everything beyond it just like it should.
  Then some other code looks at the data obtained from the SSL cert now stored in that internal struct which contains pointers to null terminated strings, a perfectly correct, perfectly common practice in C,C++ and loads of others. There is no checking of those strings for embedded NULLs because there should never be one, as stated above. I would say for a security function this classifies as a bug. They only reason I say that is in a security function one has to assume the input will in fact be malicious much of the time and violate all sorts of standards, rules, and conventions.
  So yes firefoxes SSL validation should be more rigorous in its input validation and toss out a cert as bad if it contains characters that would not be permissible in any given attribute.
  Really the problem lies though with the CA. They should also be doing that input checking, and not issuing certificates no permissible characters for any given attribute. A CA is after all supposed to be authenticating that this entity really is who they claim to be. If they claim to be something that can't exist, because it has an illegal name as in this case, then they must by definition be false and should have been rejected.
  It comes do to who was responsible for what. The browsers job is really only to verify that the certificate is valid. It was it has a valid signature from the CA. The CA job was to validate the information on the certificate before issuing it, they failed.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Re:Makes me wonder by QuoteMstr · 2009-07-30 07:14 · Score: 4, Insightful
Idiots? I think not. Put yourself in the shoes of programmers in the 70s. Could you have come up with a better idea that did all these?
- didn't use more than one byte of extra memory
- worked for both static and dynamically-allocated strings
- did the right thing when embedded in structures initialized to zero
- allowed for easy, efficient string concatenation
Sure, today, C strings might seem like a poor decision today, in this age of virtual memory, C++ classes, and sophisticated optimizing compilers. But at the time, C strings were the least bad of the available alternatives.
Re:Are CA's that stupid? by Onymous+Coward · 2009-07-30 07:15 · Score: 3, Informative

\0 isn't a legal character in DNS protocol
Say, that's a pretty good idea. Start by limiting the input to DNS-valid characters.
Geez.
For anyone who thinks "Well, I guess there might be some bad CAs out there," please keep in mind that it only requires one of the CAs (or their delegates) that your browser recognizes to make a mistake and you're hosed. Now go look at how many CAs are listed in your browser.
Damnit, it's time to flog this again:

Every time this topic comes around I feel like I should share this thing I've run across:
Perspectives.
Basically, "network notaries". Decentralization of (a kind of) authentication.
This is one thing that makes self-signed certs viable for a popular audience.
If we were using pascal strings... by argent · 2009-07-30 07:22 · Score: 3, Insightful

Someone would just get a certificate that managed to put the ".badguy.com" part starting at byte 255 of some string.
Null is not a legal character in a domain name, even if you're using UTF strings. It shouldn't be allowed in a certificate.
1. Re:If we were using pascal strings... by QuoteMstr · 2009-07-30 07:25 · Score: 5, Informative
  
  It's actually rather amusing that people here proclaim Pascal-style strings as the solution to all our woes.
  It's because certificates use ASN.1, essentially a modern-day Pascal string, that these vulnerabilities are possible. If certificates instead were encoded using C-style strings, NULLs wouldn't be an issue.
Great summary by Bromskloss · 2009-07-30 07:30 · Score: 5, Insightful

The summary really explained what it's all about, rather than sound like a newspaper who want's you to read more. This is great! Too few summaries are like this. Editors, you should make sure every story get such a good presentation on Slashdot.

--
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
Re:Are CA's that stupid? by clone53421 · 2009-07-30 07:48 · Score: 2, Insightful

Well, it did say "the null character \0". That seems pretty obvious. It's the null character, and we're calling it \0 because it's unprintable.

--
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Paypal.com versus Badguy.com by commodore64_love · 2009-07-30 07:49 · Score: 4, Funny

I don't get it.
Isn't this just the same company?

--
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
1. Re:Paypal.com versus Badguy.com by commodore64_love · 2009-07-30 07:57 · Score: 4, Informative
  
  P.S.
  Obligatory explanation: In the early 2000s, paypal.com was arbitrarily closing customers' account and keeping the money for themselves. (You can read more detail at paypalsucks.com) After a couple of years of this, the Bush adminstration's FTC investigated, found paypal guilty, and required paypal.com to refund all the money they had taken. Some people received full refunds while others received flat payouts. I was one of those who received a $50 check.
  So long story short - Paypal.com and Badguy.com are synonymous for many people.
  Another action Bush's FTC took was against record companies. They found the companies had created an illegal cartel to pricefix retail sales of CDs (gee what a surprise), and the companies agreed to settle the case by issuing refunds. I received an $18 check, ditto my brother, ditto my mom, and ditto my two nieces. It might take-awhile but eventually the law catches-up to illegal corporate activities.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Defense-in-depth by davidwr · 2009-07-30 08:11 · Score: 2, Informative

Yes, the CAs should have clear standards on what they can and cannot issue a certificate for.
However, browser makers need to assume some CAs will issue non-compliant certificates.
They should also assume some compliant certificates will be confusing to end users, whether it is because of a look-alike character, such as 1/l/!, 0/O, or many such UNICODE pairings. This applies not just to certificates but also second-level domains where an authoritative server run by badguy.com might return an address for a domain that uses characters that are supposedly illegal.
In any case, web browsers need to flag these things and make it obvious the address or certificate isn't what it appears to be.
Finally, end-user need to be educated that login.paypal.com is not the same as login.paypal.com\0.badsite.com or !ogin.paypa!.com or 1ogin.paypa1.com.
Somehow I think the latter may be a lost cause with some people.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
VeriSign Responds to Black Hat by VeriSign+Allen · 2009-07-30 08:49 · Score: 4, Informative

Tim Callan, vice president of product marketing at VeriSign, responds (in more detail) to these Black Hat presentations in his new SSL blogpost: https://blogs.verisign.com/ssl-blog/2009/07/busy_day_at_black_hat.php He fills some of the holes that Marlinspike and Kaminsky dug.
Re:MS BSTR and null terminated strings by Thuktun · 2009-07-30 08:53 · Score: 2, Informative

It's a shame that the Microsoft BSTR didn't become the dominant form of string, then these problems wouldn't be occurring.
A Microsoft BSTR is simply a length-prefixed string, which are themselves older than Microsoft.
Re:Are CA's that stupid? by sootman · 2009-07-30 09:16 · Score: 2, Insightful

CAs should be fixed to not allow garbage in the domain. \0 isn't a legal character in DNS protocol, so why should anyone be allowed to register a domain certificate with something that is not allowed.
Exactly. My mind is totally blown by this. They're issuing SECURITY certificates and they don't VALIDATE USER INPUT?!?!? Isn't that the very first thing they cover when talking about how to design apps securely? This is would take, what, a one-line regular expression to catch? God help them if Bobby Tables wants a cert.

--
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Re:Are CA's that stupid? by infolation · 2009-07-30 09:23 · Score: 3, Informative

Mr Marlinspike gives a more comprehensible breakdown of why this works in an interview he gave with Jeff Moss at Blackhat 09 that looks at SSL vulnerabilities in a broader light.
gentlemen that reminds me... by ei4anb · 2009-07-30 10:17 · Score: 3, Interesting

of the day I found a similar exploit in IE6. During a pentest I noticed that a company had a password reset site with a url like "passwordedit.info.example.com" so I regestered "passwordedit.info" and sent e-mails to some employees saying "your password will soon expire, please go to passwordedit.info.example.com and change it". However the 'e' in "example" was a Unicode character thet looked/displayed like ASCII 'e' but was not.
The trick was that IE stopped parsing the url at the bogus 'e' and went to "passwordedit.info" (my site) while displaying "passwordedit.info.example.com" in the url bar.
My site recorded the new passwords while forwarding the change request to the real site
IE6 was fixed and no press release was made (we are discreet)
domains and URLs have been changed to protect the guilty
Re:Makes me wonder by JesseMcDonald · 2009-07-30 10:59 · Score: 2, Insightful

The problem is that the certificate, being written in ASN.1 format, does use a Pascal-style length-delimited string, whereas the browser is using C-style strings. When the ASN.1 string is converted into a C-style string the early NUL terminator is preserved, truncating the domain, and this truncated domain is then used to verify that the certificate matches the URL. This wouldn't be an issue if the same string format was used in both places, whether Pascal-style or C-style.
There are multiple aspects to this vulnerability. No certificate should have been issued for an invalid domain name (NUL characters are not permitted in DNS identifiers). Given the sensitivity of the field, the domain name should not have been converted from ASN.1 format to a C-style string without some runtime verification that the resulting string is equivalent to the original, including the length. Finally, it would have made more sense to store and compare the domain name starting from the TLD; that way, if the name somehow did get truncated, the part which was verified would be the most important part and not some arbitrary subdomain.

--
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
Hmmm... by Kingrames · 2009-07-30 14:48 · Score: 2, Funny

Would this mean that there's a similar site out there called Slashnaught.org?

Or would that be Slashdot's good twin?

--
If you can read this, I forgot to post anonymously.
Moxie at Black Hat by TheCabal · 2009-07-30 17:07 · Score: 3, Informative

Moxie's presentation was very enlightening. Out of all the presentations I saw over the last two days, his was easily the most interesting.
First, he went over his last presentation- that due to CA sloppiness, it is possible for an attacker to issue valid SSL certificates as an intermediary CA. No hack involved.
Second, the null character exploit. This was the bulk of his presentation, and he went into detail why this works, and why Firefox pre-3.5 plus a bunch of other SSL stacks are vulnerable. Dont want to get a cert for every site you want to spoof? Get a wildcard \0 cert.
Third, it is possible to defeat OCSP with the number 3.
Fourth, he demonstrated how, due to these bugs in SSL and OCSP, it is possible to deploy your own "software updates" whenever Firefox or other program attempts to auto-update.
I hope he puts his presentation up sometime soon.