Null Character Hack Allows SSL Spoofing 280
eldavojohn writes "Two researchers, Dan Kaminsky and Moxie Marlinspike, came up with exact same way to fake being a popular website with authentication from a certificate authority. Wired has the details: 'When an attacker who owns his own domain — badguy.com — requests a certificate from the CA, the CA, using contact information from Whois records, sends him an email asking to confirm his ownership of the site. But an attacker can also request a certificate for a subdomain of his site, such as Paypal.com\0.badguy.com, using the null character \0 in the URL. The CA will issue the certificate for a domain like PayPal.com\0.badguy.com because the hacker legitimately owns the root domain badguy.com. Then, due to a flaw found in the way SSL is implemented in many browsers, Firefox and others theoretically can be fooled into reading his certificate as if it were one that came from the authentic PayPal site. Basically when these vulnerable browsers check the domain name contained in the attacker's certificate, they stop reading any characters that follow the "\0 in the name.'"
Are CA's that stupid? (Score:1, Interesting)
Would a CA really grant a certificate for paypal\0.badguy.com ?
Is the null character valid in a domain name? (Score:5, Interesting)
If not, the CA should not have issued the cert in the first place. Which CA was it?
Only as secure as the gate-keeper. (Score:2, Interesting)
The browser is going "Show me that this cert is valid for paypal.com" and the CA is going "Here it is, for paypay.com" , at least as far as the browser is concerned.
This is no more a flaw then if the CA just started letting anyone buy certs for paypal.com.
Having multiple CAs (and cheap CAs) is a good thing, but we're only ever secure with ssl as the least secure CA.
Re:And we trust CAs *why* again? (Score:1, Interesting)
If the two major CAs were VISA and Mastercard I would be a lot happier.
They would at least have a vested interest in not putting out duff certs because they would end up paying for any money you lose to the perps.
Re:When C Strings Attack! (Score:4, Interesting)
>>>"I would also like a beer#@a9101gb230b81;kajf3#$B89*#()*13!$%#@$""
When I first read this I thought something was wrong with my modem. This is how online surfing used to appear prior to the advent of error-correction. Random noise could suddenly appear in the middle of your test. ..... Well I think I'm done for the day. Goodbye all!
+++
ATH
bio#OP*qe! B89*#()*13!B89*#()*13!B89*#()*13! (click)
CARRIER LOST
Re:When C Strings Attack! (Score:5, Interesting)
Java strings!
32bit signed int, max length 2GB.
That ought to be enough for anybody. ;) If you need longer, there's special buffer classes that can go longer.
The string also chooses between ASCII and Unicode when initialized, (you can manually set char encoding, as well) so properly cleaned/trimmed ASCII strings don't waste any memory. (Except for the 3 bytes extra that go into a length int, instead of a null char - but those 3 bytes also give you an amazing speedup when you need to know the length of the string.)
I believe C# implements Strings in a similar way.
Re:Makes me wonder (Score:1, Interesting)
Unfortunately, C strings do not support easy, efficient string concatenation.
First of all, if I want to put string Y at the end of string X, I need to figure out where string X ends. Since I don't know the length of X, I have to inspect every single byte of it (possibly waiting for it to be paged in from disk) until I find the end. Of course there's no guarantee that there is a null character within the region allocated for X, so I have to accept the possibility that the pointer will wrap around past the end of my address space or hit an unallocated part of virtual memory (throwing an exception/signal). In fact, a naive strlen implementation could be an infinite loop!
Then I have to make sure that the string Y doesn't overlap X. This means that a naive strcat implementation could also be an infinite loop! After that, I have to copy each byte of Y individually to the end of X. I can't ever operate on more than one byte at a time because I can't expect to read past the first null byte I see (that could cause a page fault).
Another option is to find the length of Y in order to know how many bytes to copy before the null char is wiped out, which means inspecting every byte to find the null.
Once I have the length of X and Y I can perform an easy, efficient memory copy, which presumably copies whole words (4 or 8 bytes) at a time rather than individual bytes. If the lengths were stored with the strings, the memory copy could be done immediately and then the only additional work would be to add the length of Y to the length of X.
Re:Only as secure as the gate-keeper. (Score:3, Interesting)
In this attack, the certificate is valid, and has not expired or been revoked, because the certificate was issued by a valid CA and is compliant with all the rules.So Firefox checks 1 and 2 they pass, as they should. But what's supposed to happen is firefox checks the 3rd part, and should detect the mismatch and generate an error. But firefox implements check #3 wrong, this is the problem. Firefox is improperly treating the domain name as null terminated, when the strings are supposed to be length delimited. This is a browser bug, plain and simple.
gentlemen that reminds me... (Score:4, Interesting)
The trick was that IE stopped parsing the url at the bogus 'e' and went to "passwordedit.info" (my site) while displaying "passwordedit.info.example.com" in the url bar.
My site recorded the new passwords while forwarding the change request to the real site
IE6 was fixed and no press release was made (we are discreet)
domains and URLs have been changed to protect the guilty
Re:So now... (Score:3, Interesting)
Isn't that why they charge huge amounts for the certs?
No, I think that's called rampant profiteering. And because competition has driven the price down too low for them (oh no, they can only get away with charging ~50 euros for an automatically-generated chunk of data) they've introduced extended validation certs, where they actually do what they were supposed to be doing in the first place and charge yet more money for it...