Mozilla Foundation Security Advisory 2008-31

Peer-trusted certs can use alt names to spoof

Announced
July 1, 2008
Reporter
John G. Myers
Impact
Moderate
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 2.0.0.15
  • SeaMonkey 1.1.10
  • Thunderbird 2.0.0.16

Description

Mozilla developer John G. Myers reported a weakness in the trust model used by Mozilla regarding alternate names on self-signed certificates (and those with mismatched names) that if accepted could be used to spoof a secure connection to any other site. This problem was independently reported by Frank Benkstein and Nils Toedtmann.

In Firefox 2 and earlier Mozilla-based browsers, when a user encounters a site with a self-signed certificate or one whose name does not exactly match the name in the certificate an error dialog is presented that allows the user to reject the certificate, or accept it as valid and access the site. There was no concept of partial trust, accepting the certificate as valid marked it as trusted for all information it contained, including alternate site names. These alternate names could be viewed as part of the certificate details, but since they were not present on the initial dialog many users could be fooled into accepting a certificate for a site they didn't care about (but wanted to see) that also asserted that it was a certificate for your bank or prominent online shop. Once accepted this certificate could be used to spoof that site or perform a Man-in-the-Middle attack.

The dialog has been changed in Firefox 2.0.0.15 to list the alternate names and users should not accept certificates that claim an unreasonable set of alternate names. Certificate handling in Firefox 3 is quite different and it was not susceptible to this vulnerability. In Firefox 3 there is no dialog to accept self-signed certificates, and when users do choose to make an exception to the SSL security model the certificate is only trusted for that one listed exception, not for any other site.

References