I remember talking with Dominick years ago about untrusted user input, and the surprising places it can be found, and I remember back then him throwing in the idea of malicious data coming from a certificate. Well here’s an example that smacks of exactly that. An attacker asks a CA to give him a cert for Paypal.com\0.badguy.com, where “\0” is a null character. The CA issues the cert based on the fact that the requestor owns the domain badguy.com.
I’m a bit surprised that a CA would issue a cert with a null in the name, but apparently it’s possible. What ends up happening is that the browser reads the name in the cert up to the null, and figures the cert is for paypal.com.
Yet another reminder to consider any input as evil until you prove that it’s not. Anyone building a browser or using SSL should watch for these types of games.
Posted
Aug 07 2009, 02:01 PM
by
keith-brown