Researchers in Germany have found a way to trick Certificate Authorities into issuing fraudulent SSL certificates in what could represent a major threat to the SSL/TLS ecosystem.
This as many of you already undestand is not good news.
There are some reports saying that the attack can essentially trick some CAs into incorrectly issuing SSL certificates.
Obviously, the threat here is that spoofers could get an SSL certificate for someone else’s domain and use it to create a frighteningly convincing copy of that website.
So convincing, in fact, that even a user’s web browser would be tricked by it.
The attack exploits DNS cache poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own – namely certificates binding the attacker’s public key to a victim domain.
The attack depends on getting said DNS responses broken into fragments, and then injecting malicious fragments to fool the CA into handing over the cert to the attacker. The first fragments of the response contain valid DNS challenge-response fields. The inserted fragments can be whatever the miscreant needs to complete the transaction so that he or she gets the cert.
We’ll update you when the research is presented next month.
As always, feel free to leave any comments or questions!