Jan 31, 2003
This article is prohibited to readers in the United States, and other such totalian regimes, in which it may not be permitted to read such things
Y'know SSL right. It's a protocol that encrypts stuff between you and a webserver. But you need to know who you're talking to, whether you're talking to the webmaster you think you are, or to some random person pretending to be webmaster, but using their own SSL certificate.
People solve this by paying Thwarte or Verisign to sign their certificate, so when you go to a site, it says "this is site x, run by person y, and we know it is because we've been paid £100 out of their credit card"
I used to think this was really weird. After all, if you type yahoo.com into your browser, you get Yahoo! Corporation (CA)'s website, right. That's how the internet works. Why do I need some silly certificate to prove they are who they say they are?
Okay, I'm not so naive as that, but I'm sure we've all wondered from time to time why SSL certs are needed: aren't DNS servers supposed to be hard-as-nails, and secure from any attack? If I type yahoo.com, I get an IP address for yahoo, right?
Well, I'll point you at the article rather than trying to explain it myself. It shows how, with appropriate bandwidth, you can force a DNS server to hijack someone else's domain, and point all yahoo.com requests to your own webserver.
http://online.securityfocus.com/guest/17905
Okay, pointing yahoo.com to your PC is probably not the smartest idea in the world ever, as 200 million people per day hammer at your net connection demanding their email. But suppose you had a normal target. Someone you really want people to trust, like for example HSBC, the bank.
With an attack like this, you can force hsbc.com requests to come to your computer. So what then? HSBC has SSL certificates right, you can't forge them
Well no, you can't. However, it turns out that you don't need to. Internet Explorer has this feature where anybody with a Thwarte key can sign another key, and Internet Explorer will accept it as if the second key was signed by Thwarte themselves
But nobody still uses Internet Explorer, you say. It's got 19 serious outstanding vulnerabilities as I type, and nobody with a security-clue has used it since 1997. Okay, valid point, but consider this: Banks are so outdated, that they still design their sites specifically for Internet Explorer, and some even refuse to communicate to people who send a USER-AGENT header without "IE" in it.
So... DNS hijacks against BIND with a flood of packets and hoping for a collision. Attack at the same time as the next Microsoft worm takes down the real DNS servers, and self-sign your SSL certificate in the knowledge that HSBC customers have to use an insecure browser which doesn't really support SSL properly. So is this an attack?
Well, yes. So far as your connectants are concerned, you are the HSBC site. They got to you by typing hsbc.com. The padlock icon is lit-up, indicating that the connection is secure, and the site's identity is 'verifiied'. Your HTTP-SSL server is returning pages on port 22 which look the same as the official site. (well, you downloaded the HTML, they damn well ought to look the same!)
All you need do now is sit back and accept the passwords that people are typing into your site. Gather them up, return an out-of-order message, and use the passwords to go browsing bank accounts.
And the bank may be a contrived example: if HSBC doesn't have a dozen DSL machines pinging DNS servers to check for hijacks, I'd be surprised indeed. (well, maybe not. people don't understand computer security) -- but the method of attack will work against any site. If you're smarmy enough to get mail.yahoo.fr pointing to your box, then that's a list of email passwords without even needing an SSL certificate.
But best be quick -- this sort of thing won't go unnoticed against a major site. The chances of me noticing that blibbleblobble.co.uk doesn't resolve is remote, as with any small server. Attack Yahoo, and you'll have the 'net talking in no time, and no small number of people visiting your server's registered location.
So a hypothetical attack, with only two conclusions.
Update: (Jan 2004): another way to spoof website URLs in Internet Explorer, still unfixed at the time of writing
