Trust Thy Certificate? New SSL Vulnerabilities Revealed At BlackHat 2009

by Bharat Suneja

It’s BlackHat time in Vegas, and I was expecting some interesting security revelations to make headlines, but not as serious as the SSL vulnerability revealed by independent security researcher Moxie Marlinspike. Moxie showed a way to intercept SSL traffic using what he calls a null-termination certificate. Reportedly, some programs terminate processing of a certificate’s subject name when they come across a null character.

The implications? A certificate issued to www.paypal.com\0.thoughtcrime.org might be read as belonging to www.paypal.com. The risk isn’t that users could be tricked into visiting a phishing web site— that seems pretty trivial these days. This vulnerability opens the door for more dangerous man-in-the-middle attacks that can go undetected and intercept data from supposedly secure sessions, such as those used for online banking or stock trading, amongst others.

Moxie demonstrated such a man-in-the-middle attack using code that allowed him to intercept SSL traffic undetected. What increases the risk— according to him it can be used to intercept FireFox update requests, which depend on SSL. It’s not hard to guess the consequences of such a compromise. With a modified copy of FireFox and his tool, “…anytime you submit something to a site it sends me a copy”, he revealed.

Are other browsers vulnerable? Yes, but not to a similar extent. It would be harder on Internet Explorer, since it uses code signing to ensure the authenticity and integrity of code.

{ 2 comments… read them below or add one }

camcorder taschen October 24, 2009 at 5:13 am

My head feels like a merry go round or something …how to deal with it.??

Reply

Bharat Suneja October 24, 2009 at 9:01 am

@camcorder taschen: This was fixed by Mozilla in FireFox 3.5. See Mozilla Foundation Security Advisory 2009-42.

Reply

Leave a Comment

Previous post:

Next post: