Security Testers Spot Worrisome Weakness in SSL

Yet more Web security flaws have emerged to threaten Internet users, who are already bedeviled by the likes of drive-by attacks, SQL injections and spam.

At the Black Hat security conference in Las Vegas, researchers reportedly demonstrated serious flaws in the Secure Sockets Layer encryption protocol, a commonly used method of protecting communications on the Web.

One attack, demonstrated by security researcher Moxie Marlinspike, intercepts SSL traffic using a null-termination certificate — a certificate containing null characters such as “.”

Another flaw is that many Web programs depend on certificates that use an outdated cryptographic algorithm called “MD-2” or Message-Digest Algorithm 2.

The Null-Termination Certificate Attack

Marlinspike found that certificates he created for his own Internet domain that included null characters could be misinterpreted by some programs.

That could lead to hackers leading visitors away from legitimate sites to their own, from which they could launch attacks.

The problem affects Internet Explorer; Firefox 3; virtual private networking (VPN) software; e-mail clients and instant messaging apps, Marlinspike reportedly told conference-goers.

Dusting Off MD-2

In another presentation, security researchers Dan Kaminsky and Len Sassaman presented findings which showed a large number of Web applications depend on the obsolete MD-2 security algorithm.

Certificate authority and security vendor VeriSign used MD-2 13 years ago to self-sign one of the core root certificates in every browser on the planet. The vendor claims to have stopped using MD-2 in May, but it said it can’t be removed because it’s still in use by large numbers of Web sites.

The MD-2 attack is at least the second such attack on a Web security algorithm.

In December, seven researchers from the U.S., Switzerland and the Netherlands created a rogue certification authority trusted by all common Web browsers. They presented that information at the 25th annual conference of the Chaos Computer Club in Germany.

Hackers could attack SSL connections or manipulate the traffic to secure e-mail servers, according to Alexander Sotirov, one of the researchers.

The researchers exploited the MD-5 algorithm.

News of their exploit spurred VeriSign to pull its MD-5 certificates. Microsoft and the Mozilla Foundation began working with certificate authorities, which issue digital certificates, to ensure they update their issuing process.

Microsoft also issued Security Advisory 961509, in which it said the MD-5 vulnerability did not significantly increase the risk to customers because the researchers who discovered it did not publish the cryptographic background to the flaw.

The Whys And Wherefores of Discovery

The presentations were sparked by the researchers’ desire for publicity, said Laura DiDio, principal at ITIC.

“Let’s put this in context — the hacks were announced at Black Hat, which is a chance for the hackers to show off their skills so they can get publicity or funding,” she told TechNewsWorld. “What better way to get a big headline than come out and say they hacked SSL?”

The real issue, she said, is the improper implementation of SSL in browsers and problems with the X.509 public key infrastructure which helps manage digital certificates.

Forget about getting rid of MD-2, DiDio said.

“A lot of these older protocols live almost in perpetuity,” she explained. “The only thing enterprises can do is put in place good, solid computing policies and procedures and back these up with enforcement.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Security

CRM Buyer Channels