ExpanDrive

I’m kind of shocked there isn’t more news on this Major SSL vulnerability:

Certificates for authenticating SSL communications are obtained through Certificate Authorities (CAs) such as VeriSign and Thawte and are used to initiate a secure channel of communication between the user’s browser and a website. When an attacker who owns his own domain — badguy.com — requests a certificate from the CA, the CA, using contact information from Whois records, sends him an email asking to confirm his ownership of the site. But an attacker can also request a certificate for a subdomain of his site, such as Paypal.com\0.badguy.com, using the null character \0 in the URL.

The CA will issue the certificate for a domain like PayPal.com\0.badguy.com because the hacker legitimately owns the root domain badguy.com.

Then, due to a flaw found in the way SSL is implemented in many browsers, Firefox and others theoretically can be fooled into reading his certificate as if it were one that came from the authentic PayPal site. Basically when these vulnerable browsers check the domain name contained in the attacker’s certificate, they stop reading any characters that follow the “\0″ in the name.

This is rather scary and has big ramifications for the security of most websites. There is now no easy way to for an average user to feel confident they are actually securely communicating with the service they intend to.

SSL is important for two primary reasons. First and foremost, it provides a secure channel for communication. But secondly, it makes a pretty reasonable guarantee that you’re securely communicating with the server that is listed in your browser’s address bar. With this vulnerability, it’s possible [although difficult, still], for somebody to masquerade as the server in your address bar and allow you to securely communicate with them. Yikes.