Researchers exploit flaws in SSL, domain authentication system

Dan Kaminsky and Moxie Marlinspike explain how flaws in the way domain names are verified on the Internet could allow attackers to impersonate a site and steal information from unsuspecting Web surfers.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

LAS VEGAS--Two researchers have separately uncovered flaws in the way domain names are verified on the Internet that could allow attackers to impersonate a site and steal information from unsuspecting Web surfers.

Moxie Marlinspike Elinor Mills/CNET News

Dan Kaminsky, who discovered a serious flaw in the Domain Name System (DNS) last year, and Moxie Marlinspike gave presentations at the Black Hat security conference on Wednesday about how someone could acquire certificates for domains they don't own and thus trick people into visiting those illegitimate sites or inadvertently sharing information.

Marlinspike, an independent researcher, said a flaw in the way browsers and mail clients implement Secure Sockets Layer (SSL) allows for so-called man-in-the-middle attacks in which an attacker could trick browsers into presenting the site as legitimate.

The attacker can ensure continued interception of a victim's data, as well, by intercepting the Firefox auto update requests, which depend on SSL, he said in an interview. Marlinspike wrote a software tool to enable this, working with a modified version of Firefox "so that anytime you submit something to a site it sends me a copy," he said.

"The diabolical thing is this is a vulnerability, but the update mechanisms themselves cannot be trusted," Marlinspike added.

Chrome and Internet Explorer are also vulnerable to such an attack, but it would be harder on IE since that browser employs an additional step of using code signing certificates, he said. Marlinspike said he had not analyzed Chrome enough to see how serious of an issue it would be.

"They all need to change their implementation of SSL," he said, adding that he has been working with Mozilla.

Marlinspike said he will release his tool as soon as a Firefox patch is out, possibly in the next week or so.

And until Mozilla changes the way its auto update system handles SSL he suggested users turn off the auto update function on Firefox.

Dan Kaminsky Elinor Mills/CNET News

Meanwhile, Kaminsky, director of penetration testing for IOActive, said he was able to trick a Certificate Authority into providing a certificate verifying authenticity for a domain that belongs to someone else. He tested his attack using a fake Defcon.org domain and was able to use a naming trick to convince the Certification Authority running SSL to not contact the domain owner to verify the validity of the request.

Kaminsky was able to do this by exploiting a vulnerability in X.509, the protocol for generating SSL connections.

"If a Certificate Authority and a browser disagree about a name being validated, an attacker could impersonate any domain name," he said in an interview following a press conference after his talk.

The vulnerability undermines the system of trust that the Web relies on for e-commerce and other activities, according to Kaminsky. By uncovering it, a crisis may have been averted, he said.

"This is our best technology for doing authentication and it failed," he said. "We'll fix it, but it's another sign that we need to revisit how we do the basics; how we do authentication on the Internet."

Kaminsky said extended certificate validation--to prove the identity of the organization behind a Web site--should be used for any site at which phishing is a threat. He also suggested that much of the problem could be solved with the use of DNSSEC, extensions to DNS that provide additional information to servers about the data communication and its origin.

He said he was able to use several different types of attacks to exploit the X.509 vulnerability that has been resolved and one involving the MD2 hash algorithm standard to sign certificates that is being phased out.

VeriSign no longer uses the MD2 standard, having transitioned to the SHA-1 algorithm on May 17, said Tim Callan, a vice president of product marketing at the domain registrar.

"We're completely behind any efforts to improve X.509" and DNSSEC, he said.

Updated on July 30 at 2:27 p.m. PDT: Marlinspike said the issue he presented has been fixed in Firefox 3.5 and that Mozilla is working on packporting the patch into the 3.0.x series now.

Meanwhile, a Mozilla representative said: "We strongly disagree with the suggestion that users turn off security updates. Regular security updates are one of the best protections users have against newly discovered vulnerabilities in any piece of software. They are the path by which problems like the ones Moxie identified get quickly remedied before they can be exploited."