Undetectable man-in-the-middle attacks part #2

moxie-marlinspikeIt seems that the independent researcher Moxie Marlinspike has been quite busy lately. Here he present a new x509 certificate attack that goes undetected.
The idea is simple but ingenious. By creating a SSL-certificate that contains in the Common Name a legitimate site and a bad guy site separated by a NUL (0x00) character fools the browser. The Common Name looks something like this “www.paypal.com” + NUL + “.badguysite.com”.

Most browser are based on C/C++, and x509 uses ASN.1, which contains the length and then the data, which unlike C/C++ strings are terminated with NUL. So, when the browser compares the Common Name in the certificate, the string comparison stop when reaching a NUL (0x00), and voila, only parts of the Common Name is validated, which is the legitimate site….

Moxie’s have already implemented support for this new attack in his man-in-the-middle attack tool SSLSNIFF.


~ by petergullberg on July 31, 2009.

One Response to “Undetectable man-in-the-middle attacks part #2”

  1. I recently came accross your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: