Slashdot Mirror

← Back to Stories (view on slashdot.org)

Null-Prefix SSL Certificate For PayPal Released

Posted by kdawson on from the don't-mess-with-mister-inbetween dept.

An anonymous reader writes "Nine weeks after Moxie Marlinspike presented at Defcon 17, null-prefix certificates that exploit the SSL certificate vulnerability are beginning to appear. Yesterday, someone posted a null-prefix certificate for www.paypal.com on the full-disclosure mailing list. In conjunction with sslsniff, this certificate can be used to intercept communication to PayPal from all clients using the Windows Crypto API, for which a patch is still not available. This includes IE, Chrome, and Safari on Windows. What's worse, because of the OCSP attack that Moxie also presented at Defcon, this certificate cannot be revoked." Update: 10/06 23:19 GMT by KD: Now it seems that PayPal has suspended Marlinspike's account.

15 of 351 comments (clear)

  1. In other news... by Anonymous Coward · · Score: 4, Funny

    ...it is thought that more people are going to be using Macs' and Linux in the future.

    1. Re:In other news... by Trepidity · · Score: 2, Funny

      2010, Year of the Linux Desktop?

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    2. Re:In other news... by Shikaku · · Score: 3, Funny

      2010 is the year of the phished desktop :3

    3. Re:In other news... by __aaclcg7560 · · Score: 3, Funny

      2012, Year that no one will care about your Desktop or anything else.

    4. Re:In other news... by Dersaidin · · Score: 3, Funny

      Maybe if someone could use the SSL exploit to hijack the windows update service and use it to replace everyone's windows installs with linux.

    5. Re:In other news... by Anonymous Coward · · Score: 1, Funny

      OTOH, I don't have any Libertarians riding fireballs into my house.

    6. Re:In other news... by sproot · · Score: 2, Funny

      Weirdly enough, Linux doesn't use the Windows CryptoAPI and therefore isn't vulnerable to this.
      Neither does FF on Windows, don't know about Opera though. Doubtless a fanboi will be along with the news shortly.

  2. Wow? by Anonymous Coward · · Score: 4, Funny

    Moxie Marlinspike - that's a goblin name if I ever saw one.

  3. Re:What about the CA that issued it? by Anonymous Coward · · Score: 1, Funny

    But regular expressions are hard!

  4. Re:"...PayPal has suspended Marlinspike's account. by HeronBlademaster · · Score: 5, Funny

    If you don't shoot the bearers of bad news, people will keep bringing it to you.

  5. Shooting whom? by eyepeepackets · · Score: 4, Funny

    Kirk: How is the messenger, Bones?

    McCoy: He's dead, Jim.

    Kirk: Well, I suppose our mission here is accomplished.

    McCoy: Yes, I suppose you're right.

    --
    Everything in the Universe sucks: It's the law!
  6. escape-characters poorly misunderstood? by YesIAmAScript · · Score: 3, Funny

    I dunno, they seem fully misunderstood in this case.

    --
    http://lkml.org/lkml/2005/8/20/95
  7. Re:Heh... surprised? by maxwell+demon · · Score: 3, Funny

    CryptoAPI is easily avoidable, just use Unix libs for Hashing, Keys and Singins.

    So am I more secure if I sing myself instead of the computer letting it do for me?
    Does it matter which song I sing? I guess "ring of fire" would make a good firewall?

    SCNR :-)

    --
    The Tao of math: The numbers you can count are not the real numbers.
  8. Re:Paypal uses an EV cert. by muckracer · · Score: 2, Funny

    > Never type a password into a site unless you see a lock icon in your browser.

    So how'd you log into Slashdot?

  9. Re:Yay Choices! by Anonymous Coward · · Score: 1, Funny

    From this information I have already deduced your IP address is 127.0.0.1