SSL takes a serious beating at BlackHat and Defcon conferences
Moxie Marlinspike, Dan Kaminski and Mike Zusman all presented talks at both Blackhat and Defcon that expose serious flaws the implementation and model of SSL and the way we us it today.
First of all both Marlinspike and Kaminski discovered a flaw in the implementation of the client side of SSL, which is all about requesting an SSL certificate with a NULL (\0) character in the name. As Kaminski pointed out, Marlinspike’s exploit for this was the best of the two. Moxie was able to request a number of null-character certificates. His first request for www.bankofmaerica.com\0toughtcrime.com was interpreted by the Certificate Authority (CA), the company issuing certificates, as a toughtcrime.com certificate and thus it could validly be requested by Marlinspike, but nearly all browsers and other clients like SSL VPN’s, chat clients, etc as being a certificate for www.bankofameric.com. When Marlinspike investigated the routine that is responsible for handling these so called null terminated certificates, he discovered the certificates like (www.paypal.com|www.bankofamerica.com|login.live.com)\0tooughcrime.com would be valid for the first four domains and *\0toughtcrime.com would actually be valid for all domains. While he was inspecting the code, he also discovered that a certificate with the common name (AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com would actually cause an exploitable memory overwrite.
Moxie developed a tool and technique called SSLSNIFF which is able to do undetectable Man in the Middle attacks on SSL connections exploiting the possibilities null terminated certificates offer. He defined three possible counter measures against his attack. Certificate validation, software updates and extended validation certificates. Unfortunately he was able to defeat two of these three measures.
Certificate validation these days is handled mostly by the OCSP, the Online Certificate Status Protocol. Marlinspike found a flaw in the protocol. On of the statuses the OCSP can send back is “Try later…”, represented by the number 3. Such a reply does not need to be signed by the CA an causes the browser to fail open, or as Moxie put it: “OCSP is defeated by the number 3”.
Software updates can be another issue. At the time of the presentation, these bugs where only fixed in Firefox 3.5, so how do you prevent people from updating to this version? Most browsers these days have a so called auto update function, this function searches online for a more recent version of the browser, addons or plugins. In order to ensure that no malicious content is installed, the browsers rely on SSL, the same SSL that was broken by Marlinspike’s SSLSNIFF.
But there is more trouble in paradise. Marlinspike also demonstrated a technique het called ssl stripping. Ssl stripping does not attack SSL itself, instead it actually attacks, what Moxie described as the bridge between http and https. “Https is today’s world is not often encountered directly. Users don’t often type https:// in the address bar themselves. In stead they get redirected to an https site or click on a link to it”. By performing an man in the middle attack on the http connection and carefully rewriting all https requests to http requests, Marlinspike was able to create near exact copies of the login pages for services such as gmail and paypal. The user would only know something is wrong, if they notice that the https prefix is not there or that the padlock symbol is missing.
Dan Kaminski was also able to exploit the common name field to get certificates he should not be getting. Different implementations of certificate validation routines have flaws when it comes to handling certificates with multiple common names in them. By requesting a certificate with three common names: CN=www.ioactive.com, CN=www.bankofameric.com and CN=* Kaminski was able to get a certificate that would perceived as follows; the CA would sees the certificate as an www.ioactive.com certificate, which Kaminski is allowed to request. Internet Explorer will interpret the certificate as a www.bankofamerica.com certificate and Firefox will allow the certificate to be used for any url.
Besides the common name abuse, Kaminski also showed us that there is still an MD2RSA signed root certificate present in all browsers. While practical exploitation is not possible at the moment, it is very likely that this possible in the near future. Most browser vendors are working to fix the issue right now, but Kaminski kindly requested his public to “please, do not hack MD2 in the next six months.”
The last talk I attended was Mike Zusman’s “Criminal Charges not Pursued, Hacking PKI”. Mike used another technique to get “interesting” certificates. By exploiting a flaw in the web application of a CA, he was able to request certificates for pretty much any domain he wanted.
One of the solutions seems to be popping up is Extended Validation, which in a sense takes us back a couple of years. A few years back, the only way to buy a certificate was to provide legal evidence that you had control over a domain via an out of band mechanism to a human, but then these persons at the CA’s where replaced by an online application with an automated validation process and the fun started.
Extended Validation changes this by enforcing standards for validation and requiring validation by a human before the certificate gets issued. Extended Validation (EV) CA’s are hard coded in the browser to prevent the addition of malicious CA’s. But EV certificates get trusted just as much as classic certificates.
Mike Zusman was able to perform a man in the middle attack PayPal, which uses an EV certificate to protect its site. What his program does is only redirect a small portion of the traffic, the actual login, to his own malicious website which has a non-EV www.paypal.com certificate obtained via on of the methods described earlier. The only side effect visible to the user is a brief flickering of the green address bar. But will a user notice or care?
Obviously dual factor authentication, like PayPal’s security key, will reduce the risk, but what can we really do?
I was able to share a beer with Mike after he presentation and it looks like there are fundamental underlying problems with the current certificate structure. Here we have architecture of trust, yet its foundations are built on the known insecure DNS database. Browser vendors claim they have this set of rules that should be obeyed in order for a CA to be included in the browser, yet practice shows that certain CAs that have not followed these rules are still in the browser, while on commercial CAs, like CAcert are having a hard time getting included in browsers for what seems to be political reasons.
It is time to ask ourselves fundamental questions like: Is it a good thing that a browser vendor determines who’s assertion of identity to trust. There is a trend that browsers make it harder to accept invalid certificates. Mike said: “It currently takes more clicks to accept an invalid certificate, then to import a new CA”. Is this a good thing?
Both Zusman and Kaminski agree that is would be a good thing if we had a trustworthy DNS structure that we could just to, e.g. store the fingerprints of certificates that are valid for our domain. Unfortunately DNSSEC is currently in a status quo. The current implementation still got issues, but until the root servers are going to be signed nobody will be motivated to fix these issues.
It would be GREAT, Frank, if you could use a spellchecker or have someone proof your work before you blast it out for millions to read. It was so terrible I almost stopped reading half way through and surely would have if the topic wasn’t so interesting to me. I don’t mean to be rude, but that’s very unprofessional and just plain sloppy. I found MANY misspelled words and some completely destroyed the entire sentence; for example, “On of the statuses the OCSP can send back is “Try later…”, represented by the number 3.” EEEEE! Not On, but O-N-E with an EEEEE! That’s just one of many that stood out like a sore thumb. Again, to reiterate, PLEASE use a spellchecker!
@Steven
Thanks for you feedback. It is good to know that there is somebody that reads to posts that I write in my spare time.
I am sorry that my limited skills with the English language (I am not a native speaker) put you off. I should have needed spell checked the post, but since I wrote it after the conference finished and wanted to upload it quickly I missed that opportunity.
Frank, don’t be troubled by poor spelling that most spellcheckers would not find anyway. Concentrate on substance of which you gave us plenty. I think it’s time we either rebuilt the internet with security in mind or built an alternative network for all secure traffic which to all intents and purposes was physically separated from the existing network. The more complicated the internet is made in an attempt to chase security the more potential openings and flaws exist. It seems to me that making an inherently insecure software system secure is fundamentally impossible in the same way that making a totally self consistent and completge logical system is impossible (Godel, 1931)
Tony,
Thanks for you kind words.
You are correct when you state that complexity and security are natural enemies. Bert Hubert sees this the biggest problem with DNSSEC.
Building a second secure net will be hard without puttng anybody in charge and frankly I don’t know who I want to be in charge of the Internet.
Even tough the Internet is not perfect, it works quite well. Most perfect systems don’t seem to work very well.