Researcher Spoofs the Entire Web with Wildcard SSL Certificate

Most SSL implementations vulnerable to null byte poisoning

By on July 30th, 2009 14:17 GMT
Security researcher Moxie Marlinspike demonstrated at the Black Hat security conference how an SSL certificate issued for a domain name containing a null byte could be used to spoof any address on the Web. The researcher incorporated the technique into a man-in-the-middle tool called SSLSniff, which he initially released back in 2002.

The whole trick is to get a Certificate Authority (CA) to sign a certificate for a subdomain containing a null byte character. An example would be gmail.com\0.example.com, where "gmail.com\0" is the subdomain and "\0" is the null byte.

The problem with it is that most SSL implementations are vulnerable to what is called "null byte poisoning." This refers to an attack where a string is forced to end at a particular location by inserting a null byte. Applying this to the SSL certificate above, the browser would interpret it as being for gmail.com.

"This is a vulnerability that would affect every SSL implementation, because almost everybody who has ever tried to implement SSL has made the same mistake," Marlinspike commented for Wired. However, he pointed out that Firefox 3.5 was amongst the few ones that were not vulnerable.

An even more dangerous attack would involve an SSL certificate issued for *\0.example.com. Due to the null byte poisoning, the vulnerable browsers and other SSL-aware applications would interpret this as a certificate for * (everything). "You get this certificate and it will match any domain you're trying to connect to. It's actually better than a CA cert because if you get a CA cert you at least have to create and sign another certificate to then present it for whatever you're trying to connect to."

The researcher explained that, even if CAs were to start refusing to sign such certificates, this wouldn't solve anything, since the ones already issued would remain valid. The only solution to the problem is for developers to fix their SSL implementations and continue reading the domain name when a null byte is encountered. SSLSniff, a tool created by Marlinspike back in 2002, has been updated to include this new attack.

Comments