Advertisement
Promo

Security threats Toolkit

Researchers exploit SSL and domain flaws

Elinor Mills CNET News

Published: 30 Jul 2009 10:55 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Two researchers have independently uncovered flaws in the way domain names are verified on the internet, which could allow attackers to impersonate a site and steal information from unsuspecting surfers.

Dan Kaminsky, who discovered a serious flaw in the Domain Name System (DNS) last year, and independent researcher Moxie Marlinspike gave presentations at the Black Hat security conference on Wednesday about how someone could acquire certificates for domains they did not own, thus tricking people into visiting illegitimate sites or inadvertently sharing information.

Marlinspike said a flaw in the way browsers and mail clients implement Secure Sockets Layer (SSL) allows for so-called "man-in-the-middle" attacks in which an attacker could trick browsers into presenting the site as legitimate.

The attacker can ensure continued interception of a victim's data by intercepting Firefox auto-update requests, which depend on SSL, Marlinspike said in an interview. He has written a software tool to enable this, which works with a modified version of Firefox, "so that anytime you submit something to a site, it sends me a copy," he said.

"The diabolical thing is this is a vulnerability, but the update mechanisms themselves can not be trusted," Marlinspike added.

Chrome and IE are also vulnerable to such an attack, although it would be harder with the latter because it employs the additional step of using code-signing certificates, Marlinspike said. He has not analysed Chrome enough to see how serious of an issue it would be.

"They all need to change their implementation of SSL," he said, adding that he has been working with Mozilla.

Marlinspike said he will release his tool as soon as a Firefox patch is out — possibly in the next week or so.

Read this

Comment
Tackling the threat from compromised websites

Most web-based malware now comes from genuine sites that have been compromised, but security expert Mary Landesman wonders: are site owners and visitors are addressing the problem?

Read more +

Until Mozilla changes the way its auto-update system handles SSL, he suggested users turn off the function on Firefox.

Meanwhile, Kaminsky, director of penetration testing for IOActive, said he was able to trick a certification authority into providing a certificate verifying authenticity for a domain that belongs to someone else. He tested his attack using a fake defcon.org domain and was able to use a naming trick to convince the authority running SSL to not contact the domain owner to verify the validity of the request.

Kaminsky was able to do this by exploiting a vulnerability in X.509, the protocol for generating SSL connections.

"If a certification authority and a browser disagree about a name being validated, an attacker could impersonate any domain name," he said in an interview.

The vulnerability undermines the system of trust that the web relies on for e-commerce and other activities, according to Kaminsky. By uncovering it, crisis may have been averted, he said.

"This is our best technology for doing authentication and it failed," he said. "We'll fix it, but it's another sign that we need to revisit how we do the basics; how we do authentication on the internet."

Kaminsky said extended certificate validation — to prove the identity of an organisation behind a website — should be used for any site where phishing is a threat. He also suggested that much of the problem could be solved with the use of DNSSEC — extensions to DNS that provide additional information to servers about the data communication and its origin.

He added that he was able to use different types of attacks to exploit the vulnerability, which have been resolved, and one, involving the MD2 hash algorithm standard to sign certificates, is being phased out.

Third-party certification authority VeriSign no longer uses the MD2 standard, having transitioned to the SHA-1 algorithm on 17 May, said Tim Callan, a vice-president of product marketing at the domain registrar. "We're completely behind any efforts to improve X.509 and DNSSEC," he said.

Credit: Researchers exploit flaws in SSL and domain authentication system from CNET News

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
1 out of 1 people found this useful


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

1 comment

  1. VeriSign Responds to Black Hat AllenKelly

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:






Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Opera censors Chinese content

Opera has updated the Chinese version of its mobile browser to stop users accessing restricted content. Opera Mini was updated on Friday from an international to a Chinese version,... More

1 comment

Symantec website breached

Security company Symantec has said that one of its websites was successfully breached. Romanian security researcher 'Unu' posted details of the breach in a blog post on Monday. Unu... More

Post a comment

Campaigners criticise '£10bn NHS IT ov...

The National Health Service's flagship IT project has been criticised by a tax campaign group for running billions of pounds over budget. The NHS National Programme for IT (NPfIT)... More

2 comments


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters