that too just using one character....the NULL character : '\0' ..
Here is googles search page...
Here is the detailed version in PDF if you want to understand how it happens
http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf
The attack is targeted to how CA (Certificate Authorities) issues certificates to domain owners. Since its an online process automated, the CA never meets the domain owner or verifies the hardcopy of password or DL ....
The domain owner goes to CA website, creates an account, generates a CSR and requests for a SSL server certificate for the domain. The CA verifies if its a valid domain and is registered on the name of the person who is requesting for the digital certificate by sending an email to the registered domain owner's email ID.
To implement the newly found attacks, I can simply register a domain like www.mydomain.com and then generate a CSR for www.icicibank.com\0.mydomain.com
The CA will see my domain name as mydomain.com which I own and hence can successfully verify my identity. Then I hack your DNS request and redirect you to my site which is a look alike of your bank. I then present you my new certificate that I got from verisign and which perfectly looks ok to your browser as your browser is going to see www.icicbank.com as the certificate "issued to" name.
So what does it mean to a usual online banking user:
She might be providing her bank account no. and password to a fake bank website which looks perfectly as the original bank website ...Even the site is protected with a valid certificate signed by Verisign... The browser will not complain of anything that can be suspicious
What all a hacker can do once he has you on the fake bank website:
1. Change your profile details so that later on he can reset all security PINs and passwords
2. He can find your personal information and then call the bank to make transactions to any account using tele-banking
3. Initiate an online trasaction using your credit cards and ask you for the two factor authentication system PINs as some fake security check drill
Precautions:
Make sure when you visit any secured website, do check following things:
1. the URL in the browser is "https://
2. Check that the yellow SSL lock is visible in the status bar of the browser
3. click on the SSL lock and check the details of the certificate that it is issues by a known CA and most importantly there are no suspicious intermediate CAs
4. Check the details of the certificat and find the common name in subject field. See that the common name is the same as the website address you visited.
5. Do not enter your password anywhere unless you initiated a transaction
6. Check your past transactions regularly to see there are no unknown transactions that you never made.
ICICI bank has put up a warning message for the users to make sure they dont fall victim to new SSL attacks:
Have a safe surfing!
0 comments:
Post a Comment