Technology.am (Aug 2, 2009) — A powerful new type of Internet attack works like a telephone tap, except operates between computers and Web sites they trust.
Hackers at the Black Hat and DefCon security conferences have revealed a serious flaw in the way Web browsers weed out untrustworthy sites and block anybody from seeing them.
The attack was demonstrated by three hackers. Independent security researcher Moxie Marlinspike presented alone, while Dan Kaminsky, with Seattle-based security consultancy IOActive Inc., and security and privacy researcher Len Sassaman presented together.
They pointed out essentially the same conclusion and said there are major problems in the way browsers interact with Secure Sockets Layer (SSL) certificates, which is a common technology used on banking, e-commerce and other sites handling sensitive data.
SSL certificates are a critical technology in assigning trust on the Web.
Sites buy them to encrypt traffic and assure visitors it’s OK to enter confidential information. Companies that sell SSL certificates verify that someone trying to buy a certificate actually owns the site that certificate will be attached to.
The presence of an SSL certificate on a site is designated by a padlock in the address bar. Browsers are programmed to block sites that don’t have a valid SSL certificate, or have a certificate displaying a Web address that doesn’t match the address a Web surfer was trying to reach (which can indicate someone has hijacked a person’s Internet session). If the sites aren’t blocked, users are warned about potential danger, and have the option to click through.
The problems outlined by researchers’ center on a quirk in the way browsers read SSL certificates.
Many SSL certificate companies will allow people to attach a programming symbol called a “null character” into the Web address onto the certificates they receive. Web browsers generally ignore that symbol. They stop reading at that symbol when they’re checking the Web address on a certificate.
The trick in the latest type of attack is that all a criminal would need to do is put the name of a legitimate Web site before that character, and the browser will believe that the site it’s visiting – which is under the criminal’s control – is legitimate.
The criminal could then forward the traffic onto the legitimate site and spy on everything the victim does on that site.
If a criminal infiltrates a network, he can set up a secret eavesdropping post and capture credit card numbers, passwords and other sensitive data flowing between computers on that network and sites their browsers have deemed safe.
An attacker could hijack the auto-update feature on a victim’s computer, and trick it into automatically installing malware pulled in from a hacker’s Web site. The computer would think it’s an update coming from the software manufacturer.
It’s a complicated attack, but it highlights a significant weakness in the very technology widely used to assure people it’s safe to navigate sensitive sites.