SmoothWall | News

» Company Information » Case Studies & Testimonials » Press, Reviews & PR » Key Staff Biographies » News Archive » Events » Jobs

» Cyberbullying Best Practice » Secure Wireless » Anonymous Proxies » Load Balancing » Blocking Ultrasurf and HTTPS proxies » Virtualized Web Filtering » Guide to Safe Social Networking » ROI Calculator

- Unified Threat Management - » UTM-1000 Series Appliance » UTM-300 Series Appliance » UTM-100 Series Appliance - Web Content Filtering - » Guardian SWG-1200 Series Appliance » Guardian SWG-700 Series Appliance - Full Product List -

- Web Content Filtering - » Network Guardian » School Guardian » Mobile Guardian - Firewall & VPN - » Advanced Firewall » Corporate Firewall - Email Security - - Bandwidth Management - - Full Product List -

» Find a Partner » Become a Partner » PartnerNet this is a link to external content

» Support from SmoothWall » Submit a Support Ticket this is a link to external content

» FAQ & Knowledge Base » Hardware Compatibility this is a link to external content

» Manuals » Supported Products » Blocklist Addition/Removal this is a link to external content

» Password Generator

» Ask a Question » Request Web Demo » Evaluate

Company - Here you can read about SmoothWall the company, customer case studies, PR, staff bios, news, events and careers opportunities »

Solutions -
Contains information on applying our products to solve real world problems »

Software - Contains information on all of our software products »

Hardware - Contains information on our hardware appliance family »

Partners - Here you can locate your nearest SmoothWall partner, read about how to become a partner or, if you are a partner, access selling tools, products for download and services »

Support - Here you can submit a support request, read FAQs and answers, download the latest documentation, find out which products are supported, submit web and IP address to our blocklist management system and generate high strength passwords »

Contact Us - Contains information on how to get in touch with our offices; enables you to ask our sales team a question, request a web demo or product evaluation; lists our PR contacts; and submit a support request »

home » news »

More Certificate Woes

Tuesday 11th August 2009

At the recent BlackHat computer security conference, researcher Moxie Marlinspike revealed yet another attack on the SSL certificate management infrastructure that underpins much of the web's security.

The problem exploits the trend towards automated verification of certificate requests. Due to the increased volume it is not feasible for certification authorities to manually verify requests, so they typically use an automated process that contacts the appropriate administrative contact for the domain. For example, asking for a certificate for mysite.honestnik.org would result in an email to (for example) root@honestnik.org for verification.

Due to peculiarities in the notoriously complex X.509 certificate standard, it is possible to ask for a certificate for a site name containing bogus characters, such as the ASCII null.

For example, asking for: www.paypal.com\0mysite.honestnik.org

Would result in a certificate that most browsers would see as "www.paypal.com", but the verification request would go to root@honestnik.org, making it a valuable trick for would-be Phishers.

This doesn't actually breach the X.509 standard, but clearly breaches common domain naming rules. While there may be some debate on the legality of certain printable characters in domain names, I think it's safe to say no-one is proposing ASCII NUL as a sensible choice. Marlinspike expands on this and various other attacks on SSL in his excellent paper and presentation.

Fortunately most current browsers have now been patched to handle this particular issue. Guardian also (following an update released last week) now does additional checks to prevent users visiting sites with dubiously produced certificates. More worrying is the failure of the certification authorities to follow standard industry practice in handling untrusted data; even more critical when the process is automated.

More information: BlackHat.com: Marlinspike Presentation

Nik Barron www.virus.org

Bookmark this SmoothWall article:
	Digg »		Delicious »		StumbleUpon »

The SmoothWall family of Internet security solutions helps schools, enterprises and small/medium businesses to prevent misuse, block objectionable content and protect against web related threats. Delivered and supported via a global network of partners in over 60 countries, SmoothWall's commercial and open source solutions now safeguard more than a million networks worldwide.

Home	Web Filter \| UTM Appliance \| Firewall \| K12 & Schools \| Web Filtering Appliance