WordPress Vulnerabilities

Image

Advertisements

Vulnerabilities Allow Attacker to Impersonate Any Website | Threat Level | Wired.com

Vulnerabilities Allow Attacker to Impersonate Any Website

moxie-marlinspike

LAS VEGAS — Two researchers examining the processes for issuing web certificates have uncovered vulnerabilities that would allow an attacker to masquerade as any website and trick a computer user into providing him with sensitive communications.

Normally when a user visits a secure website, such as Bank of America, PayPal or Ebay, the browser examines the website’s certificate to verify its authenticity.

However, IOActive researcher Dan Kaminsky and independent researcher Moxie Marlinspike, working separately, presented nearly identical findings in separate talks at the Black Hat security conference on Wednesday. Each showed how an attacker can legitimately obtain a certificate with a special character in the domain name that would fool nearly all popular browsers into believing an attacker is whichever site he wants to be.

The problem occurs in the way that browsers implement Secure Socket Layer communications.

“This is a vulnerability that would affect every SSL implementation,” Marlinspike told Threat Level, “because almost everybody who has ever tried to implement SSL has made the same mistake.”

Certificates for authenticating SSL communications are obtained through Certificate Authorities (CAs) such as VeriSign and Thawte and are used to initiate a secure channel of communication between the user’s browser and a website. When an attacker who owns his own domain — badguy.com — requests a certificate from the CA, the CA, using contact information from Whois records, sends him an email asking to confirm his ownership of the site. But an attacker can also request a certificate for a subdomain of his site, such as Paypal.com.badguy.com, using the null character in the URL.

The CA will issue the certificate for a domain like PayPal.com.badguy.com because the hacker legitimately owns the root domain badguy.com.

Then, due to a flaw found in the way SSL is implemented in many browsers, Firefox and others theoretically can be fooled into reading his certificate as if it were one that came from the authentic PayPal site. Basically when these vulnerable browsers check the domain name contained in the attacker’s certificate, they stop reading any characters that follow the “″ in the name.

More significantly, an attacker can also register a wildcard domain, such as *.badguy.com, which would then give him a certificate that would allow him to masquerade as any site on the internet and intercept communication.

Marlinspike said he will be releasing a tool soon that automates this interception.

It’s an upgrade to a tool he released a few years ago called SSLSniff. The tool sniffs traffic going to secure web sites that have an https URL in order to conduct a man-in-the-middle attack. The user’s browser examines the attacker’s certificate sent by SSLSniff, believes the attacker is the legitimate site and begins sending data, such as log-in information, credit card and banking details or any other data through the attacker to the legitimate site. The attacker sees the data unencrypted.

A similar man-in-the-middle attack would allow someone to hi-jack software updates for Firefox or any other application that uses Mozilla’s update library. When the user’s computer initiates a search for a Firefox upgrade, SSLSniff intercepts the search and can send back malicious code that is automatically launched on the user’s computer.

Marlinspike said Firefox 3.5 is not vulnerable to this attack and that Mozilla is working on patches for 3.0.

With regard to the larger problem involving the null character, Marlinspike said since there is no legitimate reason for a null character to be in a domain name, it’s a mystery why Certificate Authorities accept them in a name. But simply stopping Certificate Authorities from issuing certificates to domains with a null character wouldn’t stop the ones that have already been issued from working. The only solution is for vendors to fix their SSL implementation so that they read the full domain name, including the letters after the null character.

(Dave Bullock contributed to this article.)

Photo of Moxie Marlinspike by Dave Bullock.

Vulnerabilities Allow Attacker to Impersonate Any Website | Threat Level | Wired.com

Vulnerabilities Allow Attacker to Impersonate Any Website

moxie-marlinspike

LAS VEGAS — Two researchers examining the processes for issuing web certificates have uncovered vulnerabilities that would allow an attacker to masquerade as any website and trick a computer user into providing him with sensitive communications.

Normally when a user visits a secure website, such as Bank of America, PayPal or Ebay, the browser examines the website’s certificate to verify its authenticity.

However, IOActive researcher Dan Kaminsky and independent researcher Moxie Marlinspike, working separately, presented nearly identical findings in separate talks at the Black Hat security conference on Wednesday. Each showed how an attacker can legitimately obtain a certificate with a special character in the domain name that would fool nearly all popular browsers into believing an attacker is whichever site he wants to be.

The problem occurs in the way that browsers implement Secure Socket Layer communications.

“This is a vulnerability that would affect every SSL implementation,” Marlinspike told Threat Level, “because almost everybody who has ever tried to implement SSL has made the same mistake.”

Certificates for authenticating SSL communications are obtained through Certificate Authorities (CAs) such as VeriSign and Thawte and are used to initiate a secure channel of communication between the user’s browser and a website. When an attacker who owns his own domain — badguy.com — requests a certificate from the CA, the CA, using contact information from Whois records, sends him an email asking to confirm his ownership of the site. But an attacker can also request a certificate for a subdomain of his site, such as Paypal.com.badguy.com, using the null character in the URL.

The CA will issue the certificate for a domain like PayPal.com.badguy.com because the hacker legitimately owns the root domain badguy.com.

Then, due to a flaw found in the way SSL is implemented in many browsers, Firefox and others theoretically can be fooled into reading his certificate as if it were one that came from the authentic PayPal site. Basically when these vulnerable browsers check the domain name contained in the attacker’s certificate, they stop reading any characters that follow the “″ in the name.

More significantly, an attacker can also register a wildcard domain, such as *.badguy.com, which would then give him a certificate that would allow him to masquerade as any site on the internet and intercept communication.

Marlinspike said he will be releasing a tool soon that automates this interception.

It’s an upgrade to a tool he released a few years ago called SSLSniff. The tool sniffs traffic going to secure web sites that have an https URL in order to conduct a man-in-the-middle attack. The user’s browser examines the attacker’s certificate sent by SSLSniff, believes the attacker is the legitimate site and begins sending data, such as log-in information, credit card and banking details or any other data through the attacker to the legitimate site. The attacker sees the data unencrypted.

A similar man-in-the-middle attack would allow someone to hi-jack software updates for Firefox or any other application that uses Mozilla’s update library. When the user’s computer initiates a search for a Firefox upgrade, SSLSniff intercepts the search and can send back malicious code that is automatically launched on the user’s computer.

Marlinspike said Firefox 3.5 is not vulnerable to this attack and that Mozilla is working on patches for 3.0.

With regard to the larger problem involving the null character, Marlinspike said since there is no legitimate reason for a null character to be in a domain name, it’s a mystery why Certificate Authorities accept them in a name. But simply stopping Certificate Authorities from issuing certificates to domains with a null character wouldn’t stop the ones that have already been issued from working. The only solution is for vendors to fix their SSL implementation so that they read the full domain name, including the letters after the null character.

(Dave Bullock contributed to this article.)

Photo of Moxie Marlinspike by Dave Bullock.

Elyssa Durant Twitter Stats & Rankings (ElyssaD) | Twitaholic.com#

Stats & Rankings for Elyssa Durant


Twitter Page | Website

Bio: After a year– sharing ugly secrets and the most despicable of crimes; This is me. My name is Elyssa. I provided the dots. Very few managed to connect them.


Date Followers Following Updates
August 02, 2010 5,185 4,037 86,021
July 31, 2010 5,118 4,018 85,408
July 15, 2010 4,852 3,928 79,699
July 08, 2010 4,878 3,922 79,284
June 28, 2010 4,787 3,891 77,509
June 25, 2010 4,756 3,869 76,488
April 15, 2010 4,105 3,608 61,121
March 17, 2010 4,004 3,561 56,502
March 10, 2010 3,919 3,483 54,609
March 03, 2010 3,877 3,446 53,478
February 28, 2010 3,858 3,441 53,156
February 25, 2010 3,822 3,414 52,548
February 22, 2010 3,846 3,417 52,298
February 09, 2010 3,664 3,257 146,906
December 16, 2009 2,905 2,771 38,000
November 17, 2009 2,439 2,281 33,633
November 10, 2009 2,323 2,171 32,654
November 03, 2009 2,223 2,113 31,093
October 31, 2009 2,223 2,112 31,032
October 28, 2009 2,157 2,095 30,239
October 25, 2009 2,014 2,063 29,717
October 12, 2009 1,681 1,404 28,220
September 23, 2009 1,621 1,313 26,526
August 18, 2009 1,479 1,167 19,964
July 13, 2009 1,341 898 16,002
July 06, 2009 1,323 867 15,143
July 03, 2009 1,275 835 14,403
June 30, 2009 1,256 809 13,452
June 27, 2009 1,198 675 12,067
May 26, 2009

http://twitaholic.com/ElyssaD/

Elyssa Durant Twitter Stats & Rankings (ElyssaD) | Twitaholic.com#

Stats & Rankings for Elyssa Durant


Twitter Page | Website

Bio: After a year– sharing ugly secrets and the most despicable of crimes; This is me. My name is Elyssa. I provided the dots. Very few managed to connect them.


Date Followers Following Updates
August 02, 2010 5,185 4,037 86,021
July 31, 2010 5,118 4,018 85,408
July 15, 2010 4,852 3,928 79,699
July 08, 2010 4,878 3,922 79,284
June 28, 2010 4,787 3,891 77,509
June 25, 2010 4,756 3,869 76,488
April 15, 2010 4,105 3,608 61,121
March 17, 2010 4,004 3,561 56,502
March 10, 2010 3,919 3,483 54,609
March 03, 2010 3,877 3,446 53,478
February 28, 2010 3,858 3,441 53,156
February 25, 2010 3,822 3,414 52,548
February 22, 2010 3,846 3,417 52,298
February 09, 2010 3,664 3,257 146,906
December 16, 2009 2,905 2,771 38,000
November 17, 2009 2,439 2,281 33,633
November 10, 2009 2,323 2,171 32,654
November 03, 2009 2,223 2,113 31,093
October 31, 2009 2,223 2,112 31,032
October 28, 2009 2,157 2,095 30,239
October 25, 2009 2,014 2,063 29,717
October 12, 2009 1,681 1,404 28,220
September 23, 2009 1,621 1,313 26,526
August 18, 2009 1,479 1,167 19,964
July 13, 2009 1,341 898 16,002
July 06, 2009 1,323 867 15,143
July 03, 2009 1,275 835 14,403
June 30, 2009 1,256 809 13,452
June 27, 2009 1,198 675 12,067
May 26, 2009

http://twitaholic.com/ElyssaD/