Slashdot Mirror

← Back to Stories (view on slashdot.org)

Null Character Hack Allows SSL Spoofing

Posted by timothy on from the cannot-anticipate-all-evil dept.

eldavojohn writes "Two researchers, Dan Kaminsky and Moxie Marlinspike, came up with exact same way to fake being a popular website with authentication from a certificate authority. Wired has the details: 'When an attacker who owns his own domain — badguy.com — requests a certificate from the CA, the CA, using contact information from Whois records, sends him an email asking to confirm his ownership of the site. But an attacker can also request a certificate for a subdomain of his site, such as Paypal.com\0.badguy.com, using the null character \0 in the URL. The CA will issue the certificate for a domain like PayPal.com\0.badguy.com because the hacker legitimately owns the root domain badguy.com. Then, due to a flaw found in the way SSL is implemented in many browsers, Firefox and others theoretically can be fooled into reading his certificate as if it were one that came from the authentic PayPal site. Basically when these vulnerable browsers check the domain name contained in the attacker's certificate, they stop reading any characters that follow the "\0 in the name.'"

8 of 280 comments (clear)

  1. Re:\0wned by Lord+Fury · · Score: 5, Funny

    I don't get it, you didn't post anything.

  2. Re:Are CA's that stupid? by OrangeTide · · Score: 5, Insightful

    CAs should be fixed to not allow garbage in the domain. \0 isn't a legal character in DNS protocol, so why should anyone be allowed to register a domain certificate with something that is not allowed.

    I miss pascal strings, where the first byte was the length of the string. It had lots of cool advantages in situations like this over C's null terminated strings.

    --
    “Common sense is not so common.” — Voltaire
  3. Re:\0wned by LucidBeast · · Score: 5, Funny

    I just came to say Moxie Marlinspike is just about the coolest name I've ever seen...

  4. Dan Kaminski, would you STOP ALREADY !! by Anonymous Coward · · Score: 5, Funny

    Go do something else for a while. If it were not for you we all would be safer !!

  5. So now... by mhkohne · · Score: 5, Funny

    All we have to do is get the CAs to pay attention to the certs they issue, correct?

    Uh-oh. We're screwed.

    --
    A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
    1. Re:So now... by Anonymous Coward · · Score: 5, Insightful

      No, all we have to do is make CA's liable for the certs the issue.

  6. Re:If we were using pascal strings... by QuoteMstr · · Score: 5, Informative

    It's actually rather amusing that people here proclaim Pascal-style strings as the solution to all our woes.

    It's because certificates use ASN.1, essentially a modern-day Pascal string, that these vulnerabilities are possible. If certificates instead were encoded using C-style strings, NULLs wouldn't be an issue.

  7. Great summary by Bromskloss · · Score: 5, Insightful

    The summary really explained what it's all about, rather than sound like a newspaper who want's you to read more. This is great! Too few summaries are like this. Editors, you should make sure every story get such a good presentation on Slashdot.

    --
    Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities