Null-Prefix SSL Attacks Enabled In New sslsniff

An anonymous reader writes "Moxie Marlinspike, who recently published new attacks on SSL at Defcon 17, seems to have released the new version of sslsniff which supports these attacks. While the release appears to coincide with a patch from Mozilla, every product that uses the Microsoft CryptoAPI is still vulnerable, including Internet Explorer and Outlook. The new version of sslsniff also supports built-in modes for hijacking software auto-updates that depend on SSL, and apparently includes techniques for defeating OCSP as well — making the elimination of existing null-prefix certificates difficult."

Appears to coincide..

[sys.stdout.write]

appears to coincide with a patch from Mozilla

If some guy waited until Microsoft fixed a vulnerability to release a patch, but not before Mozilla fixed the patch, then we would all be crying foul.

Since it's the other way around, nobody will have a problem I'm sure.

Re:Appears to coincide..

[sys.stdout.write]

And by "fixed the patch" I mean "I'm retarded".

English is hard.

Re:Appears to coincide..

[BasharTeg]

You're absolutely right. If this guy didn't inform anyone except Mozilla, he's bringing browsers wars to a new low, by being willing to expose a majority of web users involved in e-commerce and other "secure" online access to his vulnerability for whatever the lead time of patching is, but exempting users of his favorite browser. IF that's what he did, that's ridiculous, childish, and petty.

What about all the other vendors of SSL dependent software? SSL based VPNs like OpenVPN for example. No love for them either? Just Mozilla?

It shows how people like Dan K are smart enough to recognize major vulnerabilities that can potentially affect massive amounts of service/traffic/commerce need to be handled differently. It doesn't reduce the respect you gain as a security researcher for finding such a major flaw to give vendors notification in a reasonable time period before publication. I'm all for full disclosure as a means of punishing companies that don't respond, but for larger vulnerabilities I think notification and a deadline are the way to go.

Re:Appears to coincide..

[mrsteveman1]

I do, it comes right after "oh-shit-we're-screwed sunday and "pwned monday".

Re:Appears to coincide..

[gnasher719]

You're absolutely right. If this guy didn't inform anyone except Mozilla, he's bringing browsers wars to a new low, by being willing to expose a majority of web users involved in e-commerce and other "secure" online access to his vulnerability for whatever the lead time of patching is, but exempting users of his favorite browser. IF that's what he did, that's ridiculous, childish, and petty.

Reading the article, there seemed to be a good reason to inform Mozilla first, because they were the most vulnerable. Apparently, to spoof say Internet Explorer, you need a certificate for "www.ebay.com\0.evilhackers.com", one for "www.amazon.com\0.evilhackers.com" and so on, but to spoof Mozilla-based browsers, a certificate for "*\0.evilhackers.com" will be accepted for _every_ site in existence.

Winning combination

[Norsefire]

Excellent technical skills, interest in hacking and a name that no security department will take seriously.

Re:Winning combination

[MyLongNickName]

Moxie Marlinspike? I thought we had a new Ubuntu release. And I was wondering what happened to the L's.

Re:Just to make things easier in the future

[gparent]

every product [...] is still vulnerable,

Fixed.

The actual paper

Here's a link to the actual paper on the topic:
http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf