SSL Certificate Null Byte Poisoning

July 31, 2009

Multiple browsers are theoretically prone to a security-bypass vulnerability. The problem is due to improper validation of the domain name in a signed Certificate Authority (CA) certificate. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks.

Dan Kaminsky and Moxie Marlinspike, while working separately, have discovered the same vulnerability that would affect many SSL implementations. Basically when the vulnerable browsers check the domain name contained in the attacker's certificate, they stop reading any characters that follow a null byte (x00 or ) character. The vulnerability has been assigned as CVE-2009-2408.

The whole trick is to get a CA to sign a certificate for a subdomain containing a null byte. An example would be, where "" is the subdomain and "" is the null byte. Firefox and other browsers theoretically can be fooled into reading this certificate as if it were coming from PayPal's web site. This allows the attacker to steal the victim's PayPal credential.

To solve this problem, both CAs and browser developers have to take actions. For CAs, they must stop issuing certificate that contains a null byte. (VeriSign, one of the lagest CAs, claims that "No certificates under the VeriSign brand or sub-brands have a domain containing a null character".) Meanwhile, in order to prevent attacks using existing CA-signed certificates or self-signed certificates (which contain a null byte as subdomain), developers of browsers have to fix their SSL implementations and continue reading the domain name when a null byte is encountered.

SonicWALL has released an IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 1266 SSL Server Certificate Null Byte Poisoning Exploit