Jump to content

Breaking SSL with null characters

Mike Chelen

Recommended Posts

If you apply for a certificate, the certificate authority looks at the common name on the form and contacts the domain owner. The CA ignores the subdomain. The trick is to drop in a null character in the subdomain. If you register, www.paypal.com[null character].thoughtcrime.org, the CA will contact the owner of thoughtcrime.org and issue the cert. When clients like Firefox use NSS to verify the cert, the null character causes them to think the certficate is valid for www.paypal.com because they stop at the null character. Even if the person examines the cert in their browser, it will show www.paypal.com.

from black hat presentation http://hackaday.com/2009/07/29/black-hat-2...ull-characters/

probably browsers will be patched soon, still kind of shocking to know such flaws exist

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...