A forged SSL certificate that could allow an attacker to trick users of IE, Safari or Chrome on Windows into thinking that a fake PayPal page is legitimate, has been publicly released. The cert exploits an yet-to-be-patched null byte poisoning vulnerability in Microsoft's CryptoAPI.

A few months back, during the Black Hat security conference, a security researcher named Moxie Marlinspike demonstrated a proof-of-concept man-in-the-middle attack used on a null-prefix certificate. Such a certificate contains a null byte character \0 in the name of the host it was issued for.

In programming, this character is employed to terminate a string and a bug in Microsoft's CryptoAPI, which is used by browsers like IE, Safari or Chrome to parse SSL certificates, causes the address to be truncated when \0 is encountered. Mr. Marlinspike successfully got a certificate authority to sign several such null-prefix certificates, one of which was for www.paypal.com\0ssl.secureconnection.cc.

During his Black Hat training session on the subject of intercepting secure communication, this certificate was distributed to the participants for demonstrative purposes; however, one of them released it yesterday on the Full-Disclosure mailing list. This means that, now, virtually anybody can use it in combination with SSLSniff, a freely available man-in-the-middle attack tool, in order to intercept a PayPal user's traffic and serve them with a bogus https:// page, which the aforementioned browsers will display as being legit.

Theoretically speaking, certificate authorities do have a defense against such abuse by revoking the bogus certificates. Browsers use the Online Certificate Status Protocol (OCSP) to check if a certificate has been revoked; however, Mr. Marlinspike also demonstrated an attack that successfully sends fake OCSP responses in order to pass validation. SSLSniff supports this attack method, so revoking the rogue null-prefix PayPal certificate will be of little use.

You might notice that Firefox was not mentioned amongst the vulnerable browsers. That's because it is not, or at least not anymore. Mozilla's browser was initially vulnerable to this attack too, but the bug was patched in the Firefox 3.5.2 and 3.0.13 versions, a few days after Marlinspike's presentation at Black Hat.