Null-Prefix SSL Certificate For PayPal Released
An anonymous reader writes "Nine weeks after Moxie Marlinspike presented at Defcon 17, null-prefix certificates that exploit the SSL certificate vulnerability are beginning to appear. Yesterday, someone posted a null-prefix certificate for www.paypal.com on the full-disclosure mailing list. In conjunction with sslsniff, this certificate can be used to intercept communication to PayPal from all clients using the Windows Crypto API, for which a patch is still not available. This includes IE, Chrome, and Safari on Windows. What's worse, because of the OCSP attack that Moxie also presented at Defcon, this certificate cannot be revoked." Update: 10/06 23:19 GMT by KD: Now it seems that PayPal has suspended Marlinspike's account.
...it is thought that more people are going to be using Macs' and Linux in the future.
Moxie Marlinspike - that's a goblin name if I ever saw one.
If you don't shoot the bearers of bad news, people will keep bringing it to you.
Kirk: How is the messenger, Bones?
McCoy: He's dead, Jim.
Kirk: Well, I suppose our mission here is accomplished.
McCoy: Yes, I suppose you're right.
Everything in the Universe sucks: It's the law!