Null character MITM Certificate released

This year Dan Kaminsky and Moxie Marlinspike discovered that when requesting a certificate for example "Paypal.com\0.phishing.com" that some CAs would approve the request. What made it worse is that SSL client (and browsers) would ignore the characters after the null character, leading to an effective SSL Man in the Middle attack.

Although it isn't possible to request these certificates anymore, Jacob Appelbaum released such a certificate yesterday together with the private key, stating that everybody had time enough to fix the issue. If you're a developer, you might want to look into this issue. For example Blackberries were still vulnerable to the attack.

Firefox patched the issue a few days after the initial presentation but other browsers like IE and Chrome rely on Microsoft's CryptoAPI to process the certificate and are still vulnerable.

"There are thousands of products on Windows right now that are still vulnerable to this SSL attack, and if someone were to publicly publish a targeted null prefix certificate, they'd be in trouble," said the white-hat hacker, who goes by the moniker Moxie Marlinspike. "Basically, everything that runs on Windows would be vulnerable with that one certificate." (source: Theregister.co.uk)

Note: The wildcard SSL certificate that Jacob Appelbaum released tricks older versions of the Network Security Services library into authenticating any website on the internet. But a lot of other applications using CryptoAPI might still be vulnerable to similar SSL MITM attacks. Time to patch the API like Firefox did.

Previous posts:

• Download the #brucon videos and presentations
• Collection of Defcon 17 articles, videos, pictures and podcasts
• Day 2: A collection of #Blackhat articles: keeping remote track of the event
• BlackHat slides available and first blogposts