SSL Certificate Null Byte Poisoning (July 31, 2009)


Multiple browsers are theoretically prone to a security-bypass vulnerability. The problem is due to improper validation of the domain name in a signed Certificate Authority (CA) certificate. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks.

Dan Kaminsky and Moxie Marlinspike, while working separately, have discovered the same vulnerability that would affect many SSL implementations. Basically when the vulnerable browsers check the domain name contained in the attacker’s certificate, they stop reading any characters that follow a null byte (x00 or ) character. The vulnerability has been assigned as CVE-2009-2408.

The whole trick is to get a CA to sign a certificate for a subdomain containing a null byte. An example would be, where “” is the subdomain and “” is the null byte. Firefox and other browsers theoretically can be fooled into reading this certificate as if it were coming from PayPal’s web site. This allows the attacker to steal the victim’s PayPal credential.

To solve this problem, both CAs and browser developers have to take actions. For CAs, they must stop issuing certificate that contains a null byte. (VeriSign, one of the lagest CAs, claims that “No certificates under the VeriSign brand or sub-brands have a domain containing a null character”.) Meanwhile, in order to prevent attacks using existing CA-signed certificates or self-signed certificates (which contain a null byte as subdomain), developers of browsers have to fix their SSL implementations and continue reading the domain name when a null byte is encountered.

SonicWALL has released an IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 1266 SSL Server Certificate Null Byte Poisoning Exploit
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.