Feeds

Wildcard certificate spoofs web authentication

SSL felled by null string

The essential guide to IT transformation

Black Hat In a blow to one of the net's most widely used authentication technologies, a researcher has devised a simple way to spoof SSL certificates used to secure websites, virtual private networks, and email servers.

The attack, unveiled Wednesday at the Black Hat security conference in Las Vegas, exploits a weakness in the process for generating secure sockets layer certificates. It works by adding a null string character to several certificate fields, a technique that tricks browsers and other SSL-enabled programs into misinterpreting the domain name that is being authenticated.

Security researcher Moxie Marlinspike created what he called a universal wildcard certificate that in many ways resembles certificate authority certificates that VeriSign and other companies use to generate SSL certificates. He did it by applying for a normal certificate for his website thoughtcrime.org. In the commonName field he listed the site as *\0.thoughtcrime.org, giving him a certificate that tricks many programs into authenticating virtually every address on the internet.

"You get this certificate and it will match any domain you're trying to connect to," Marlinspike told the Black Hat audience. "It's actually better than a CA cert because if you get a CA cert you at least have to create and sign another certificate to then present it for whatever you're trying to connect to. This you just hand them over and over again. You don't need to sign anything."

The attack came the same day that fellow researchers Dan Kaminsky and Len Sassaman laid out some half-dozen vulnerabilities in X.509, the technology that implements the PKI, or public key infrastructure that makes the SSL system work. Coincidentally, one of their attacks involved the same null-termination technique laid out by Marlinspike.

Another exploit targeted a decade-old VeriSign root certificate that was signed using MD2, an algorithm that's vulnerable to what's known as preimage attacks, in which someone is able to find a message that generates a predetermined hash.

"What we see is a real crisis in authentication," Kaminsky said during a press conference following his talk. "PKI was supposed to fix all this. We've been trying to do this for 10 years, and it's just not working."

Kaminsky said the current PKI system should be overhauled and rolled into DNSSEC, a security standard that's being implemented to better secure the domain name system.

The research isn't particularly comforting for people who regularly depend on SSL to authenticate websites and encrypt sensitive transactions.

Marlinspike has updated a software tool he wrote called SSLSniff to take advantage of the null-termination SSL bug. It allows a computer plugged into a network to all other network users to receive spoofed SSL pages that look identical to the real thing. The computer then logs all incoming and outgoing traffic that normally would have traveled through encrypted channels.

SSLSniff can also be used to automatically exploit software update mechanisms that rely on SSL for authentication. Instead of installing the update, the software pushes a malware package of the attacker's choice.

At the moment, version 3.5 of Firefox is the only browser that is protected against the attack, although Sassaman said Internet Explorer provides some protection too. ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?