Slashdot Mirror

← Back to Stories (view on slashdot.org)

Null-Prefix SSL Certificate For PayPal Released

Posted by kdawson on from the don't-mess-with-mister-inbetween dept.

An anonymous reader writes "Nine weeks after Moxie Marlinspike presented at Defcon 17, null-prefix certificates that exploit the SSL certificate vulnerability are beginning to appear. Yesterday, someone posted a null-prefix certificate for www.paypal.com on the full-disclosure mailing list. In conjunction with sslsniff, this certificate can be used to intercept communication to PayPal from all clients using the Windows Crypto API, for which a patch is still not available. This includes IE, Chrome, and Safari on Windows. What's worse, because of the OCSP attack that Moxie also presented at Defcon, this certificate cannot be revoked." Update: 10/06 23:19 GMT by KD: Now it seems that PayPal has suspended Marlinspike's account.

29 of 351 comments (clear)

  1. In other news... by Anonymous Coward · · Score: 4, Funny

    ...it is thought that more people are going to be using Macs' and Linux in the future.

  2. So let me get this right... by Darkness404 · · Score: 5, Insightful

    The people who need to make sure to get everything secure in order to for the web to function have waited longer than -9 weeks- to get something fixed? When the thing was presented at... Defcon? What else do these people have to do other than fix these -major- flaws. When something is shown at Defcon, BlackHat, HOPE or any other major security conference, the first thing for these people to do would be to fix the flaw. 9 weeks is inexcusable.

    --
    Taxation is legalized theft, no more, no less.
    1. Re:So let me get this right... by Korin43 · · Score: 4, Interesting

      But it's pretty clear who's responsibility it is. Microsoft needs to update the Windows Crypto API. Mozilla products are already patched.

    2. Re:So let me get this right... by bertok · · Score: 5, Interesting

      The people who need to make sure to get everything secure in order to for the web to function have waited longer than -9 weeks- to get something fixed? When the thing was presented at... Defcon? What else do these people have to do other than fix these -major- flaws. When something is shown at Defcon, BlackHat, HOPE or any other major security conference, the first thing for these people to do would be to fix the flaw. 9 weeks is inexcusable.

      The problem is that this is not just some buffer overflow where you can replace single function call with an equivalent function call that does a safety length check. Security holes that depend on '\0' characters in strings exploit a systematic flaw in the Windows API design: the mix of two entirely different and incompatible types of strings all over the place. The 'native NT' API uses Unicode strings with an explicit length, but the Win32 API and C/C++ libraries usually use null-terminated strings. The dirty compromise is to use null-terminated strings together with an explicit length. Naively, one would think that this is now compatible with both, but it isn't - the NT API strings are a superset of the C-style API strings, because they can contain \0 characters, which the latter cannot handle.

      This is a glaring flaw, has been known for many years, and will probably never get completely fixed. The SysInternals guys wrote a nice article about it once, I think, but I can't find it any more. It's lost in the mists of time. It's been exploited repeatedly too. You can create files and registry entries with \0 in them, and then none of the user-mode tools will be able to modify or delete those, including Explorer and the command-line tools. Viruses and other malware make use of this 'feature' often.

      What really shits me is that Microsoft hasn't learned a thing. They talk big about security, but it's just talk. For example, the entire ASP.NET API suffers from a similar mismatch of encodings flaw: All of the data binding controls fail to properly HTML encode strings coming from a database. This makes virtually all ASP.NET applications ripe for exploits via XSS or other script injection attacks. The one time I wrote an ASP.NET app, I had to spend weeks going through and replacing all of the simple-looking bind statements with explicit calls to a method that would both bind and encode. Even in the upcoming 4.0 release, the flaw is still there. I suspect that it won't ever get fixed.

      If Microsoft can sit on a related security holes for years, don't hold your breath for a patch for this one. Even if they do fix it, I suspect they'll do something half-assed, like create a patch for IE only, instead of the cryptographic subsystem as a whole.

    3. Re:So let me get this right... by QuoteMstr · · Score: 5, Insightful

      All of the data binding controls fail to properly HTML encode strings coming from a database. This makes virtually all ASP.NET applications ripe for exploits via XSS or other script injection attacks. The one time I wrote an ASP.NET app, I had to spend weeks going through and replacing all of the simple-looking bind statements with explicit calls to a method that would both bind and encode. Even in the upcoming 4.0 release, the flaw is still there. I suspect that it won't ever get fixed.

      To be fair, that's the kind of thing Microsoft really can't fix: plenty of people depend on outputting HTML stored in the database, and making escaping the default would break these users. We can debate the usefulness of Microsoft's compatibility-über-alles approach, but you can't fix that problem and preserve backward compatibility.

    4. Re:So let me get this right... by nametaken · · Score: 4, Insightful

      For example, the entire ASP.NET API suffers from a similar mismatch of encodings flaw: All of the data binding controls fail to properly HTML encode strings coming from a database. This makes virtually all ASP.NET applications ripe for exploits via XSS or other script injection attacks.

      I would be pretty upset if everything I pulled from DB was automagically HTML encoded. I protect against XSS where it needs to be done. There are places where HTML encoding your data would not work. I do, however, always use parameterized inserts to protect against sql injection on top of an appropriate string cleaning function. Few things aggravate me like shitty ad-hoc inserts and the absence of string cleaning tied to a client-driven interface.

    5. Re:So let me get this right... by QuantumRiff · · Score: 4, Interesting

      I have never understood that for years, you have been able to create a folder with a space at the end of its name in a script. Try, just try, to delete that folder.. You can't create it in explorer, you can't delete it in explorer.. in fact, the only way to fix that I have found, is hope to god its a long file name, drop to a command prompt, and delete it with "Del folder~1"

      Years and years...

      Speaking of which, I got to try that in server 2008, and Windows 7.. Its a fun way to use 3 lines of script to really piss off your IT co-workers...

      --

      What are we going to do tonight Brain?
    6. Re:So let me get this right... by Anonymous Coward · · Score: 5, Informative

      I have never understood that for years, you have been able to create a folder with a space at the end of its name in a script. Try, just try, to delete that folder.. You can't create it in explorer, you can't delete it in explorer.. in fact, the only way to fix that I have found, is hope to god its a long file name, drop to a command prompt, and delete it with "Del folder~1"

      Well, the documentation for Windows Explorer specifically states that it may not support all the naming conventions of the underlying file systems. Of course, it would be entirely reasonable to expect it to fully support the naming conventions of any Microsoft file system, but MS seems to operate under an unusual definition of "reasonable"...

      You don't need a script to create such folders, just the command prompt. This will work just fine: mkdir ".\Space \". Even better, dir /X may fail to reveal this as a long filename (by definition, any filename containing a space is a long filename even if it's eight or fewer characters in length), in which case there's no way to use dir to make it obvious there's an abomination in the list of folders.

      Note that mkdir "Space " won't give you the trailing space in the folder name, at least not on anything earlier than Vista or 2003 (never tried this trick on anything after XP). Similarly, rmdir "Space " fails to remove the directory, but you can remove it with rmdir ".\Space \".

      File this under "Stupid cmd.exe tricks".

      Speaking of which, I got to try that in server 2008, and Windows 7.. Its a fun way to use 3 lines of script to really piss off your IT co-workers...

      Heh, create three sibling directories named "stuck" where they have one, two, and three trailing spaces - then sit back and watch the consternation. It will look like there are three folders with identical names under the same folder (impossible!), and none of them can be deleted with Explorer. Pure, evil fun.

      - T

  3. Wow? by Anonymous Coward · · Score: 4, Funny

    Moxie Marlinspike - that's a goblin name if I ever saw one.

    1. Re:Wow? by captnbmoore · · Score: 4, Informative

      You do know what a marlinspike is right? http://en.wikipedia.org/wiki/Marlinspike

      --
      The Navy Motto "IF it ain't broke Fix It" "A day is wasted if you don't learn something new"
  4. What about the CA that issued it? by mindstrm · · Score: 5, Interesting

    With CNs like www.paypal.com\0ssl.secureconnection.cc

    Shouldn't the CA who issued the certificate bear *some* of the blame here?

    It just seems logical....

    1. Re:What about the CA that issued it? by ekhben · · Score: 5, Insightful

      Ahh, you've discovered why SSL on the web is fundamentally broken -- CAs have no incentive to act responsibly, since their customers are certificate requestors, not relying parties. And certificate requestors like CAs who don't have heavy process and high fees.

      I believe the only way forward is for browsers to change the model: associate a certificate SKI with a web site on first visit, warn if that changes. Don't worry about certificate validity, since the hierarchical trust model has been compromised from the root.

    2. Re:What about the CA that issued it? by QuoteMstr · · Score: 5, Interesting

      CAs have no incentive to act responsibly, since their customers are certificate requestors, not relying parties. And certificate requestors like CAs who don't have heavy process and high fees.

      Especially Comodo:

      Five minutes later I was in the possession of a legitimate certificate issued to mozilla.com - no questions asked - no verification checks done - no control validation - no subscriber agreement presented, nothing

  5. Re:Heh... surprised? by petronije · · Score: 5, Informative

    Looks like lynx (http://lynx.isc.org) is still safe.

  6. Re:Heh... surprised? by Romancer · · Score: 4, Informative

    From the article:

    Fortunately, Mozilla developers patched the hole a few days after Marlinspike's demo and Apple followed suit a few weeks later with Safari for OS X. That means if you're on Windows, the only way to protect yourself against this critical vulnerability is to use versions 3.5 or 3.0.13 or later of Firefox. At least until Microsoft fixes the CryptoAPI, whenever that may be.

    --


    ) Human Kind Vs Human Creation
    ) It'd be interesting to see how many humans would survive to serve us.
  7. Re:Such dependancies annoy nLite users! by Anonymous Coward · · Score: 5, Insightful

    This has to be the worst advice I've ever heard.

  8. Re:Such dependancies annoy nLite users! by sakdoctor · · Score: 4, Insightful

    NO! Don't roll your own crypto. This is madness!
    *Kicks BikeHelmet into pit*

    OpenSSL is available for windows; use that.

  9. Update by Hatta · · Score: 4, Informative

    Sounds like PayPal should be freezing everyone's account until this is fixed.

    --
    Give me Classic Slashdot or give me death!
  10. "...PayPal has suspended Marlinspike's account." by magsol · · Score: 5, Insightful

    Because that is totally going to fix the problem.

    --
    "I'd just like to emphasise that taking a million years isn't a metaphor here..." -Rich Bradshaw
  11. Re:Yay Choices! by quickOnTheUptake · · Score: 4, Informative
    Using a less targeted platform is not security through obscurity, at least not in the conventional sense of the term.
    This is a nice definition:

    Security Through Obscurity (STO) is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms. Hiding account passwords in binary files or scripts with the presumption that "nobody will ever find it" is a prime case of STO.

    For shits and grins here is a slashdot feature on the topic; the first couple of paragraphs should make the usage clear. In fact he even goes on to point out that it can not be used by opensource software.

    --
    Mod points: Guaranteed to remove your sense of humor.
    Side effects may include gullibility and temporary retardation
  12. Re:"...PayPal has suspended Marlinspike's account. by HeronBlademaster · · Score: 5, Funny

    If you don't shoot the bearers of bad news, people will keep bringing it to you.

  13. Re:Yay Choices! by Jaysyn · · Score: 4, Informative

    Or just use Firefox. Wow, that's a lot easier!

    --
    There is a war going on for your mind.
  14. Shooting whom? by eyepeepackets · · Score: 4, Funny

    Kirk: How is the messenger, Bones?

    McCoy: He's dead, Jim.

    Kirk: Well, I suppose our mission here is accomplished.

    McCoy: Yes, I suppose you're right.

    --
    Everything in the Universe sucks: It's the law!
  15. Re:Yay Choices! by Excelsior · · Score: 5, Insightful

    I am not a security expert, but does switching to Firefox really solve the issue? For browsing, sure. But everyone is saying this is part of the core crypto API in Windows. Certs are used in more things than just IE.

    When the app you want to install says it is signed by Microsoft, Mozilla, or Nullsoft, can you still be sure that it really is? Can you be sure the Windows Update software is actually retrieving updates without a man-in-the-middle?

    I really don't know the answers to these questions. But I would be surprised if switching to Firefox is a cure to a bug in the core Win32 apis. Helpful: yes. A solution: probably not.

  16. Re:No, but by QuoteMstr · · Score: 4, Insightful

    AFAIK, the law supports your position. But I really think we need to examine whether that's the kind of society we want. It's perfectly fine for a small business to arbitrarily refuse to have a relationship with a particular person. That person can go elsewhere, and the small business is only hurting itself. But large companies like PayPal are different. They form an integral part of the fabric of modern life. When one of these large companies denies service to an individual, that person's quality of life is reduced without an opportunity for rebuttal, or for a fair judgment by his peers. These companies have become de facto utilities, and just as the electric company cannot turn off your lights because of a personal grudge, PayPal should not be able to arbitrarily cripple your ability to send and receive money.

    When a company gains quite a bit from being large enough to matter in this way; it should give something in return.

  17. ow, retaliate! by Onymous+Coward · · Score: 5, Insightful

    If you cause someone grief, don't expect them to be nice to you in return.

    Look at it this way: If a doctor jabs you with a mortally-needed anti-venom needle, do you have the right to tell him "Fuck off!"?

    I suppose... "He caused me grief!" Yeah, okay. It's a bit of a simplistic metric, really, for determining what is a good response. Appropriate for a young child or a retard. Maybe not for a large corporation. Hopefully not for you.

    It does matter what the person's intentions were.

  18. Re:No, but by lilrobbie · · Score: 5, Insightful

    From Paypal's justification of their banning:
    "We do not, however, allow PayPal to be used in the sale or dissemination of tools which have the sole purpose to attack customers and illegally obtain individual customer information," the spokeswoman, Sara Gorman, wrote in an email. "We consider whether there is any legitimate use in helping to strengthen the defenses of one's site when determining violation of our policy."

    The problem with your statement is that he did not cause Paypal problems in the way that you think. He showed a widespread security flaw, using Paypal as an example... and Paypal suddenly decided that the tools he was producing "have the sole purpose to attack customers and illegally obtain individual customer information". This is a complete and utter load of bollix.

    So yes, Paypal may not be happy they have a vulnerability... the same vulnerability that every other SSL cert user has I might add... but he was not breaking their TOS. What they did was infantile and very counter-productive.

    This kind of behaviour means the only people that know the flaws in your system are the hackers who want to exploit them for nefarious means, rather than these researchers, who are doing it partially to "help the world", but also to HELP YOU.

    I wouldn't trust a company who discourages security penetration testing and thorough investigations of their systems in these ways. Because you can bet your pants, the black-hat hackers will do their homework and find these flaws if our researchers don't.

  19. How does this work (in 20 seconds) by Monkier · · Score: 5, Informative

    what usually happens:
    * you request a cert common-name=serverbox.mydomain.com from a Certificate Authority (CA)
    * CA determines you are authorized to make this request on behalf of mydomain.com
    * serverbox.mydomain.com serves down the signed cert, your browser makes sure website == common-name == serverbox.mydomain.com

    what these clever guys discovered:
    * you can request a cert common-name=paypal.com\0.mydomain.com
    * CA determines you are authorized to make this request on behalf of mydomain.com
    * man-in-the-middle sits in between you and paypal.com, serves down this cert, victim's browser makes sure website == common-name == paypal.com (whoops!)
    * victim sees paypal.com in their browser with that reassuring padlock

  20. escape-characters poorly misunderstood by durnurd · · Score: 4, Informative
    I'm rather fond of this bit of ignorance:

    The certificate is the latest to target a weakness that causes browsers, email clients, and other SSL-enabled apps to ignore all text following the \ and 0 characters

    --
    --Edward Dassmesser