SSL exploit turns Firefox into malware distributor
Security researcher Moxie Marlinspike gave one of the more interesting and terrifying presentations at BlackHat 2009 in Las Vegas yesterday. Marlinspike demonstrated how the X.509 digital certificates used by Secure Socket Layer (SSL) to secure online communications such as eCommerce and online banking were was completely broken. This allowed Marlinspike to pose as the Mozilla update server for users on the same local area network such as a hotspot which allows him to distribute malware in the guise of of a Mozilla Firefox update.
Categories: BlackHat, Security, Security news
That is a truly nasty bug. Great question… why would a CA sign a cert with a domain name that is not a valid domain name? Once again, poor programming…
J.Ja
@Justin James
Well, the CAs use OpenSSL which does not treat NULL CHAR as an end of string. The clients on the other hand such as Crypto API do treat NULL CHAR as end of string. That’s your disconnect right there.
Now the CAs can probably change their signing application to reject anything with a NULL CHAR in the subject line which would probably make sense since there’s no reason to have a character that the DNS system doesn’t recognize anyways.
Well, that’s a failing by Open Source. I would hope to see an update, but would be afraid to use the auto update tool of FF. :/
It’s not just open source. Everyone screwed this implementation of X.509 up including Microsoft Crypto API and just about every other implementation of SSL.