Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

More holes found in Web's SSL security protocol

At Black Hat, researchers say these bugs could be used to create undetectable man-in-the middle attacks

Security researchers have found some serious flaws in software that uses the SSL (Secure Sockets Layer) encryption protocol used to secure communications on the Internet.

At the Black Hat conference in Las Vegas on Thursday, researchers unveiled a number of attacks that could be used to compromise secure traffic travelling between Web sites and browsers.

This type of attack could let an attacker steal passwords, hijack an on-line banking session or even push out a Firefox browser update that contained malicious code, the researchers said.

The problems lie in the way that many browsers have implemented SSL, and also in the X.509 public key infrastructure system that is used to manage the digital certificates used by SSL to determine whether or not a Web site is trustworthy.

A security researcher calling himself Moxie Marlinspike showed a way of intercepting SSL traffic using what he calls a null-termination certificate. To make his attack work, Marlinspike must first get his software on a local area network. Once installed, it spots SSL traffic and presents his null-termination certificate in order to intercept communications between the client and the server. This type of man-in-the-middle attack is undetectable, he said.

Marlinspike's attack is remarkably similar to another common attack known as a SQL injection attack, which sends specially crafted data to the program in hopes of tricking it into doing something it shouldn't normally do. He found that if he created certificates for his own Internet domain that included null characters -- often represented with a \0 -- some programs would misinterpret the certificates.

That's because some programs stop reading text when they see a null character. So a certificate issued to www.paypal.com\0.thoughtcrime.org might be read as belonging to www.paypal.com.

The problem is widespread, Marlinspike said, affecting Internet Explorer, VPN (virtual private network) software, e-mail clients and instant messaging software, and Firefox version 3.

To make matters worse, researchers Dan Kaminsky and Len Sassaman reported that they had discovered that a large number of Web programs are dependant on certificates issued using an obsolete cryptographic technology called MD2, which has long been considered insecure. MD2 has not actually been cracked, but it could be broken within a matter of months by a determined attacker, Kaminsky said.

The MD2 algorithm was used 13 years ago by VeriSign to self-sign "one of the core root certificates in every browser on the planet," Kaminsky said.

VeriSign stopped signing certificates using MD2 in May, said Tim Callan, vice president of product marketing at VeriSign.

However, "large number of Web sites use this root, so we can't actually kill it or we'll break the Web," Kaminsky said.

Software makers can, however, tell their products to not trust MD2 certificates; they can also program their products to not be vulnerable to the null-termination attack. To date, however, Firefox 3.5 is the only browser that has patched the null-termination issue, the researchers said.

This is the second time in the past half-year that SSL has come under scrutiny. Late last year, researchers found a way to create a rogue certificate authority, that could in turn issue phoney SSL certificates that would be trusted by any browser.

Kaminsky and Sassaman say there are a raft of problems in the way SSL certificates are issued that make them insecure. All of the researchers agreed that the x.509 system that is used to manage certificates for SSL is out-of-date and needs to be fixed.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: etwork, VeriSign

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: security, ssl
Latest Blog Posts
Whitepapers
  • Automating Your Processes to Outperform Your Competition
    Welcome to Volume Three of the “Intelligent Guide to Enterprise BPM.” Get ready for an education in automation—Process Automation, that is. This white paper goes into detail about the Process Automation entry point into an Enterprise Business Process Management (BPM) program. Read on to learn how Process Automation opens up new ways to help your business do things faster—like open up a new sales channel or deliver customer orders. Discover how Process Automation enables your business to run smoother and consistently in an orchestrated way. With a true Enterprise BPM solution, you can automate newly designed processes far easier than starting from scratch.
    Learn more »
  • Teleworking made simple—and secure—with desktop virtualisation technology
    Businesses of all sizes are increasingly focused on creating flexible work environments and offering telework options for employees. By administering policies and providing the technical capability for employees to work remotely, these companies can improve job satisfaction and worker attraction and retention. This paper explores the implementation of teleworking based on a foundation of desktop and server virtualisation.
    Learn more »
  • Server and Storage Optimization Techniques
    By meeting the requirements to deploy new applications and support a larger number of internal and external customers, IT organizations are facing a space, power, and cooling crunch. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments