Browser SSL Certificates Vulnerability
 |
 |
 |
 |
 |
A vulnerability in some browsers allows hackers to successfully impersonate SSL certificates of legitimate sites. If exploited, this vulnerability can allow a hacker to intercept sensitive transmissions.
Details
As Dan Kaminsky and Moxie Marlinspike explained at this year’s BlackHat security conference, a vulnerability in how some browsers interpret domain names could allow hackers to trick users into communicating with malicious sites.
If a malicious person requests a certificate for a host name with an invalid null character in it most CAs (Certificate Authorities) will issue the certificate if the requester owns the domain specified after the null. However, most SSL clients (browsers) ignore that part of the name and used the un-validated part of the host name in front of the null.
This makes it possible for attackers to obtain certificates that would function for any site they wish to target. Hackers then use certificates to intercept and potentially alter encrypted communication between the client and a server, such as sensitive bank account transactions.
Example
- Hacker requests a certificate for a malicious site, including a null in the domain name, ‘yourbank.com\0malicious’.
- Since the hacker is the legitimate owner of the domain ‘\0malicious’, the CA issues the certificate.
- The victim’s browser checks the certificate, but ignores the portion after the null, accepting the certificate as correct for the legitimate site ‘yourbank.com’.
- The hacker intercepts all communication from the victim, intended for the legitimate site, ‘yourbank.com’. Hackers can use this opportunity to steal important data such as passwords and account information.
Mozilla Firefox 3.0.12 or Mozilla Network Security Services 3.12.3 and prior versions are vulnerable to this type of exploit.