Bugs in Mozilla browsers facilitate man-in-the-middle attacks
Phishers can exploit a flaw in the way Mozilla based browsers, Konqueror and Safari 2 process SSL certificates. According to Nils Toedtmann in a posting on the Full Disclosure security mailing list, the problem arises as a result of an error in the way that alternative domain names and wildcards for domains are processed. As a result, certificates for phishing websites can either appear valid due to a certificate being accepted temporarily in the course of a session or fail to provoke an error message stating that the certificate authority is unknown.
After the browser is closed, the crafted certificate is usually deleted. However users can choose to accept certificates permanently, in which case such crafted certificates may persist.
According to Toedtmann, the cause of the vulnerability is the way in which the affected browsers handle domain names in the subjectAltName certificate attribute. This attribute is used to record alternative domain names, as certificates usually include only one common name (CN) in the distinguished name (DN). This might, for example, take the following form:
Should a user, despite warning messages, accept a self-signed certificate from an attacker on accessing the apparently innocent website www.example.com, no error message will be displayed if, for instance, a fake PayPal website is subsequently accessed. An attacker still needs to divert an attempt to access paypal.com to his server, using, for example, a man-in-the-middle attack or domain spoofing, but such attacks are not unusual nowadays - an opportunity to carry out such an attack was recently provided by a vulnerability in the BIND name server. An MITM attack's cover is usually quickly blown by the popup error message in the browser. Not, however, in this case.
In addition, this trick can apparently be used not only with full domains, but also with wildcards, such as *.co.uk, so that any domain in .co.uk will work with the crafted certificate. According to Toedtmann, Mozilla has been aware of this problem for years. He thus presents his publication not as an advisory, but as a public reproach. A demonstration of the problem can be found at X.509 subjectAltName test page.
Toedtmann also criticises the fact that no browser currently displays the additional domain names by default when displaying a certificate. This makes it harder for users to recognise a potential attack. At present, the only way for users to find out whether an accepted certificate contains suspect additional names is by examining the certificate details and, in case of doubt, deleting it. The KDE Konqueror browser, however, offers no means of examining the details of a certificate.
- Certificate spoofing with subjectAltName and domain name wildcards, security advisory from Nils Toedtmann