Want to Impersonate Any Website Of Your Choice?

Imagine that you could pull off being any website of your choice. Your options would be unlimited for you would have the entire internet to choose from. The general process with websites is; when a user visits a certain site his/her browser checks the certificate of the website in order to verify its authenticity. It is terrifying to know that two researchers who were working independently both discovered a methodology that online criminals could potentially use to get hold of website certificates with the correct character within the domain name, which would be sufficient enough to trick the majority of web browsers into verifying that the online criminal as any site of choice. The 'majority of web browsers' includes Internet Explorer 6  which is comprised of these files: APM.BAT, ACPI.BAT, CLSB.BAT as well as COMSETUP.EXE.

The discovery was recently announced at the Black Hat Security Conference. The specific problem, lies within the method that internet browsers use to secure socket layer communications. The vulnerability pertains to the way in which the Secure Socket Layer communications, reads and interprets information.

There are certain companies known as Certificate Authorities; these companies provide the certificates for authenticating the secure socket layer communications. If you own a site and have registered your own domain name, the Certificate Authorities will give you a confirmation of the certificate for ownership of the website. This seems like a very valid full proof method of doing things on the virtual world, unfortunately this methodology has a flaw and is not as full proof as we would like to believe.

When an online criminal obtains a certificate from the CA, they request ownership to be confirmed. This is all good and well, but the problem occurs when an online criminal requests a certificate for a sub domain. This sub domain can contain a null character such as: www.barclays.co.uk\0.bestsite.com, with the use of the \0 character in the URL, the online criminal can take advantage of the flaw in its totality. The point is, the CA will issue a certificate for a domain name eg: www.barclays.co.uk\0bestsite.com, because the fact of the matter is that the online criminal owns the root domain name: bestsite.com.

Now the trouble lies in the fact that there is a flaw in the manner in which the SSL is implemented into the browsers. Any browser could be fooled into reading the certificate, like it was the original eg: Barclays site. If a vulnerable browser checks this domain name in order to verify it, it stops reading the characters which proceed after the "\0", within the name of the site.

If you think that is all, then you are very much mistaken, as this flaw just gets worse. A hacker is also able to register a wildcard domain, for example:*\0.bestsite.com. This would result in the creation of a certificate that would allow a hacker to be any site on the entire World Wide Web, as well as  give the hacker the ability to intercept communication. One of the speakers at the Black Hat Conference may be releasing a tool in the not too distant future, which will automate this interception.

At the end of the day with regard to hackers being able to exploit the null character of a domain, there is no real reason why a null character needs to be in a domain name to start with. There is no explainable reason at this current point in time, as to why the Certificate Authorities even allow null characters to exist in the name. The solution to this vulnerability is for vendors to find a method that will allow them to fix the SSL implementation, thereby reading the entire domain name, with the inclusion of the characters after the null character.