A security researcher who disclosed a serious vulnerability in online certificates has been blocked from accessing his PayPal account after someone released a counterfeit PayPal certificate he created for a professional training session.

Moxie Marlinspike, who gave a talk at the Black Hat security conference in July about vulnerabilities in the ways that certificate authorities issue website certificates, told The Register that PayPal suspended his account, which contains $500 in value, a day after someone posted his certificate online.

"This is not something I had anything to do with, and they responded by suspending my account," he told the publication. "I've been the one trying to warn them of this in the first place."

An e-mail to Marlinspike from PayPal indicated the account was being suspended, not for the certificate, but for misuse of the payment processing service.

"Under the Acceptable Use Policy, PayPal may not be used to send or receive payments for items that show the personal information of third parties in violation of applicable law," the e-mail read. "Please understand that this is a security measure meant to help protect you and your account."

Marlinspike was told the account would be reinstated once he had removed the PayPal logo from his website.

Marlinspike's site includes a page where visitors can download free tools he's written and donate money to him through PayPal. The tools include SSLSniff and SSLStrip, a recent tool he released following his presentation at Black Hat in Las Vegas.

Both tools are used to trick browsers into visiting bogus sites, such as fake PayPal or banking sites, using a bogus certificate.

SSLStrip sniffs traffic going to secure websites that have an https URL in order to conduct a man-in-the-middle attack and take the traffic to an attacker's fake site instead. The user’s browser examines the attacker’s web certificate sent by SSLSniff, believes the attacker is the legitimate site and begins sending data, such as log-in information, credit card and banking details or any other data through the attacker to the legitimate site. The attacker would be able to see the data unencrypted.

A PayPal spokeswoman told The Register that the company does not allow PayPal "to be used in the sale or dissemination of tools which have the sole purpose to attack customers and illegally obtain individual customer information."

The spokeswoman didn't explain why other sites distributing so-called "hacking tools" and using PayPal to process payments have not had their accounts suspended. She also didn't say why the company decided to suspend Marlinspike's account only after someone had posted his bogus PayPal certificate.

Marlinspike's talk at Black Hat showed how an attacker can legitimately obtain a web certificate with a special character in the domain name that would fool nearly all popular browsers into believing an attacker is whichever site he wants to be.

The problem occurs in the way that some certificate authorities issue Secure Socket Layer (SSL) certificates and in the way that browsers implement SSL communications.

“This is a vulnerability that would affect every SSL implementation,” Marlinspike told Threat Level in July, “because almost everybody who has ever tried to implement SSL has made the same mistake.”

Certificates for authenticating SSL communications are issued through Certificate Authorities (CAs) and are used to initiate a secure channel of communication between the user’s browser and a website. When an attacker who owns his own domain — badguy.com — requests a certificate from the CA, the CA, using contact information from Whois records, sends him an e-mail asking to confirm his ownership of the site. But an attacker can also request a certificate for a subdomain of his site, such as Paypal.com\0.badguy.com, using the null character \0 in the URL.

Some CAs will issue the certificate for a domain like PayPal.com\0.badguy.com because the hacker legitimately owns the root domain badguy.com.

Then, due to a flaw found in how SSL is implemented in many browsers, Internet Explorer and other browsers can be fooled into reading the certificate as if it were one that came from PayPal. When these vulnerable browsers check the domain name contained in the attacker’s certificate, they stop reading any characters that follow the “\0″ in the name.

Marlinspike said that an attacker could even register a wildcard domain, such as *\0.badguy.com, which would give him a certificate that would allow him to masquerade as any site on the internet and intercept communication. He said there were ways to trick some browsers into accepting a bogus certificate even if an issuing authority later revoked it.

During a private Black Hat training session that Marlinspike gave to security professionals prior to his public talk, he showed participants a PayPal certificate that he obtained as a proof of concept. Marlinspike told the Register he never distributed the certificate to participants, although a person going by the name "Tim Jones" who posted the certificate to the Full Disclosure mailing list on Monday indicated that Marlinspike did distribute it.

"Attached is one of the null-prefix certificates that [Marlinspike] distributed during his 'intercepting secure communication' training at Black Hat," the person wrote. "This one's for www.paypal.com, and since the Microsoft crypto api appears to remain unpatched, it works flawlessly with sslsniff against all clients on Windows (IE, Chrome, Safari)."

Marlinspike's PayPal certificate was issued by IPS CA, based in Spain, which reportedly has since revoked the certificate. No one was available at IPS CA to answer questions when contacted by Threat Level.

Some browsers, such as Firefox, post a warning to users that the certificate has been revoked when they try to access a site using the certificate. But other browsers don't trigger an alert and are fooled into accepting the certificate.

The vulnerability still exists, despite Marlinspike's warning about it in July, because a bug in Microsoft's CryptoAPI hasn't been fixed. Google's Chrome and Apple's Safari for Windows, which rely on the Microsoft library to examine certificates, are two browsers vulnerable to spoofed certificates.

Photo of Moxie Marlinspike by Dave Bullock.

See also: