Trust Thy Certificate? New SSL Vulnerabilities Revealed At BlackHat 2009

It's BlackHat time in Vegas, and I was expecting some interesting security revelations to make headlines, but not as serious as the SSL vulnerability revealed by independent security researcher Moxie Marlinspike. Moxie showed a way to intercept SSL traffic using what he calls a null-termination certificate. Reportedly, some programs terminate processing of a certificate's subject name when they come across a null character.

The implications? A certificate issued to www.paypal.com\0.thoughtcrime.org might be read as belonging to www.paypal.com. The risk isn't that users could be tricked into visiting a phishing web site— that seems pretty trivial these days. This vulnerability opens the door for more dangerous man-in-the-middle attacks that can go undetected and intercept data from supposedly secure sessions, such as those used for online banking or stock trading, amongst others.

Moxie demonstrated such a man-in-the-middle attack using code that allowed him to intercept SSL traffic undetected. What increases the risk— according to him it can be used to intercept FireFox update requests, which depend on SSL. It's not hard to guess the consequences of such a compromise. With a modified copy of FireFox and his tool, "...anytime you submit something to a site it sends me a copy", he revealed.

Are other browsers vulnerable? Yes, but not to a similar extent. It would be harder on Internet Explorer, since it uses code signing to ensure the authenticity and integrity of code.