New flaw found in secure Web site technology
\0 might look like a particularly obscure emoticon or “smiley”. But it’s actually the key to exploiting a newly-discovered flaw in the technology behind secure Web sites.
A security researcher using the pseudonym Moxie Marlinspike demonstrated the flaw at the annual Black Hat security conference in Las Vegas today. It involves the way independent “certification authorities” issues digital certificates to confirm that a secure site really does belong to its claimed owner.
The problem identified by both Marlinspike and Dan Kaminsky (pictured), in separate studies, is that the systems used by some certification authorities can be tricked by using a null character. When the system sees a null character it views it like the word END in a telegram and assumes the message is complete.
Unfortunately the symbol used for the null character, \0, is easy to build into a domain name (note that the direction of the slash is opposite to that normally used in Web site addresses). In the example Marlinspike gave, asking the certification authority for a certificate to cover www.paypal.com\0.thoughtcrime.org can get you a certificate for www.paypal.com.
Of course, to be truly effective the user would have to be tricked into thinking the page they visited truly belonged to the legitimate site, but Marlinspike has already demonstrated a way to do that.
The problem isn’t limited to scamming users into, for example, hand over user names and passwords on a bogus log-in screen. Marlinspike says it can also be used to trick the auto-update system on the Firefox browser software which depends on the secure Web site verification to make sure it is downloading legitimate updates.
Marlinspike is keeping the full details quiet until Mozilla issues an update but, in the meantime, recommends Firefox users switch off auto-updates to be on the safe side.
Related Posts:
