(WEB HOST INDUSTRY REVIEW) — According to a story published Wednesday on Wired’s Threat Level security blog, among other places, security researchers presenting at the Black Hat security conference (www.blackhat.com) this week in Las Vegas said they had uncovered vulnerabilities in the issuing process for SSL certificates that could allow attackers to pose as any website.
IOActive researcher Dan Kaminsky and independent researcher Moxie Marlinspike presented identical findings in separate presentations, having each come to the conclusion working separately, according to Wired.
Both men demonstrated that an attacker can legitimately acquire an SSL certificate with a special character in the domain name that would enable the site to fool almost all popular browsers into thinking it is whatever site the attacker wants it to appear to be.
A malicious website operator can request an SSL certificate for a subdomain of a site he owns, such as PayPal.com\0.badguy.com, using the null character \0 (to borrow the precise example used in the Threat Level story). Because of a mistake in the way browsers perceive domains when reading SSL certificates, many browsers could be fooled into thinking the certificate belonged to the actual PayPal.com website.
This approach can be extended to acquire a certificate for a wildcard domain such as *\0.badguy.com, which could be used to pose as any site on the Internet.
Marlinspike is reportedly planning to release a tool that automates this intercepting process, an upgrade of a tool, SSLSniff, that he previously released to track traffic to websites with https urls, in order to facilitate man-in-the-middle attacks.
According to the Threat Level report, Firefox version 3.5 is not vulnerable to this attack, and the Mozilla organization is working on a patch for version 3.0.
While certificate authorities could stop issuing certificates with null characters, the fact that many of these certificates could already have been issued means that browsers will have to be patched to account for the potential attack.
About Liam Eagle
Liam Eagle has worked as a contributor to the Web Host Industry Review since its inception in 2000, and as editor since 2003. He has been editor of the WHIR's print magazine since its launch. His daily involvement in the gathering and reporting of Web hosting news and his regular interaction with Web hosting leaders gives him an uncommonly broad appreciation of the issues and tends facing the business. Through his WHIR blog, Liam spots Web hosting trends and offers opinions on the industry-wide impacts of major developments and the motivation behind big announcements. Follow him on Twitter @liameagle
No related posts.
