UK +44 (0) 870 1 999 500
PartnerNet
Solutions
Products
Support
News
Events
Case Studies
Resources
Partners
Contact
Blog
News Archive
2012
2011
2010
2009
You are here:
News
2009
More Certificate Woes
More Certificate Woes
Nik Barron - www.virus.org - 11 August 2009
Security
Yet another attack on the SSL certificate management infrastructure
At the recent BlackHat computer security conference, researcher Moxie Marlinspike revealed yet another attack on the SSL certificate management infrastructure that underpins much of the web's security.
The problem exploits the trend towards automated verification of certificate requests. Due to the increased volume it is not feasible for certification authorities to manually verify requests, so they typically use an automated process that contacts the appropriate administrative contact for the domain. For example, asking for a certificate for mysite.honestnik.org would result in an email to (for example) root@honestnik.org for verification.
Due to peculiarities in the notoriously complex X.509 certificate standard, it is possible to ask for a certificate for a site name containing bogus characters, such as the ASCII null.
For example, asking for: www.paypal.com\0mysite.honestnik.org
Would result in a certificate that most browsers would see as "www.paypal.com", but the verification request would go to root@honestnik.org, making it a valuable trick for would-be Phishers.
This doesn't actually breach the X.509 standard, but clearly breaches common domain naming rules. While there may be some debate on the legality of certain printable characters in domain names, I think it's safe to say no-one is proposing ASCII NUL as a sensible choice. Marlinspike expands on this and various other attacks on SSL in his excellent paper and presentation.
Fortunately most current browsers have now been patched to handle this particular issue. Guardian also (following an update released last week) now does additional checks to prevent users visiting sites with dubiously produced certificates. More worrying is the failure of the certification authorities to follow standard industry practice in handling untrusted data; even more critical when the process is automated.
More information:
BlackHat.com: Marlinspike Presentation
