Researchers Expose SSL Domain Authentication Flaws

On Wednesday at the Black Hat and DefCon security conferences, Dan Kaminsky and Moxie Marlinspike presented important information in regards to exploit flaws in the SSL domain authentication system. They described how someone could obtain certificates for domains they do not have the ownership rights to, enabling them to convince visitors to visit illegitimate sites, leaving them vulnerable to sharing valuable information. Marlinspike described this flaw as a man-in-the-middle attack forcing browsers to present illegitimate websites as being authentic. Marlinspike went on to further describe a software tool that he wrote which has the ability to send him a copy of anything a user would submit to an exploited SSL domain. The software he has written works with a slightly modified version of the popular Firefox web browser. He also mentioned that both Google Chrome and Microsoft’s Internet Explorer are also vulnerable to this type of attack. He went on further to explain that Internet Explorer invokes another step which uses code signing certificates and also explained that he has not research Chrome enough to see what the effects would be.

To sum it up he feels that all of the browsers need to change the way they implement SSL. He is currently working with Mozilla on creating a fix to the Firefox browser. The tool that Marlinspike has developed will be released once the Firefox patch is available to the public. The patch could be available as early as next week. He noted that until the Firefox update system changes the way it handles SSL, he would advise users to disable the auto update function located in the browser.

Kaminsky, who works as the director of penetration testing for IOActive, described how he can trick a Certificate Authority into providing a cert verifying the authenticity for a domain that is owned by another party. Kaminsky is able to conduct this attack because of a vulnerability in the X.509, protocol which is responsible for creating SSL connections.

Mozilla, Microsoft and Google have all stated that they are actively investigating the issues. Mozilla, said that most of the problems have been addressed in the latest version of its browser and also disagreed with Kaminsky’s recommendation on disabling your Firefox updates. They went on to state that the rest of the updates will be available in the coming week.

Verisign Inc., combated the findings and stressed that there certificates are not vulnerable. They expressed that the man-in-the-middle attack does not work against there Extended Validation SSL certificates. These certs are expensive and also require an internal inspection of a given company’s certificate application.

Regardless of what Verisign feels, these researchers have provided a great deal of insight on a exploit which could be potentially hazardous if placed into the wrong hands. As domainers, we definitely need to keep a close eye on the security industry because vulnerabilities like this could directly effect our business. I commend both Dan Kaminsky and Moxie Marlinspike for providing this information and definitely value there contribution to the overall Internet community.