Slashdot Mirror

← Back to Stories (view on slashdot.org)

Null-Prefix SSL Certificate For PayPal Released

Posted by kdawson on from the don't-mess-with-mister-inbetween dept.

An anonymous reader writes "Nine weeks after Moxie Marlinspike presented at Defcon 17, null-prefix certificates that exploit the SSL certificate vulnerability are beginning to appear. Yesterday, someone posted a null-prefix certificate for www.paypal.com on the full-disclosure mailing list. In conjunction with sslsniff, this certificate can be used to intercept communication to PayPal from all clients using the Windows Crypto API, for which a patch is still not available. This includes IE, Chrome, and Safari on Windows. What's worse, because of the OCSP attack that Moxie also presented at Defcon, this certificate cannot be revoked." Update: 10/06 23:19 GMT by KD: Now it seems that PayPal has suspended Marlinspike's account.

9 of 351 comments (clear)

  1. Re:Heh... surprised? by petronije · · Score: 5, Informative

    Looks like lynx (http://lynx.isc.org) is still safe.

  2. Re:Wow? by captnbmoore · · Score: 4, Informative

    You do know what a marlinspike is right? http://en.wikipedia.org/wiki/Marlinspike

    --
    The Navy Motto "IF it ain't broke Fix It" "A day is wasted if you don't learn something new"
  3. Re:Heh... surprised? by Romancer · · Score: 4, Informative

    From the article:

    Fortunately, Mozilla developers patched the hole a few days after Marlinspike's demo and Apple followed suit a few weeks later with Safari for OS X. That means if you're on Windows, the only way to protect yourself against this critical vulnerability is to use versions 3.5 or 3.0.13 or later of Firefox. At least until Microsoft fixes the CryptoAPI, whenever that may be.

    --


    ) Human Kind Vs Human Creation
    ) It'd be interesting to see how many humans would survive to serve us.
  4. Update by Hatta · · Score: 4, Informative

    Sounds like PayPal should be freezing everyone's account until this is fixed.

    --
    Give me Classic Slashdot or give me death!
  5. Re:Yay Choices! by quickOnTheUptake · · Score: 4, Informative
    Using a less targeted platform is not security through obscurity, at least not in the conventional sense of the term.
    This is a nice definition:

    Security Through Obscurity (STO) is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms. Hiding account passwords in binary files or scripts with the presumption that "nobody will ever find it" is a prime case of STO.

    For shits and grins here is a slashdot feature on the topic; the first couple of paragraphs should make the usage clear. In fact he even goes on to point out that it can not be used by opensource software.

    --
    Mod points: Guaranteed to remove your sense of humor.
    Side effects may include gullibility and temporary retardation
  6. Re:Yay Choices! by Jaysyn · · Score: 4, Informative

    Or just use Firefox. Wow, that's a lot easier!

    --
    There is a war going on for your mind.
  7. How does this work (in 20 seconds) by Monkier · · Score: 5, Informative

    what usually happens:
    * you request a cert common-name=serverbox.mydomain.com from a Certificate Authority (CA)
    * CA determines you are authorized to make this request on behalf of mydomain.com
    * serverbox.mydomain.com serves down the signed cert, your browser makes sure website == common-name == serverbox.mydomain.com

    what these clever guys discovered:
    * you can request a cert common-name=paypal.com\0.mydomain.com
    * CA determines you are authorized to make this request on behalf of mydomain.com
    * man-in-the-middle sits in between you and paypal.com, serves down this cert, victim's browser makes sure website == common-name == paypal.com (whoops!)
    * victim sees paypal.com in their browser with that reassuring padlock

  8. escape-characters poorly misunderstood by durnurd · · Score: 4, Informative
    I'm rather fond of this bit of ignorance:

    The certificate is the latest to target a weakness that causes browsers, email clients, and other SSL-enabled apps to ignore all text following the \ and 0 characters

    --
    --Edward Dassmesser
  9. Re:So let me get this right... by Anonymous Coward · · Score: 5, Informative

    I have never understood that for years, you have been able to create a folder with a space at the end of its name in a script. Try, just try, to delete that folder.. You can't create it in explorer, you can't delete it in explorer.. in fact, the only way to fix that I have found, is hope to god its a long file name, drop to a command prompt, and delete it with "Del folder~1"

    Well, the documentation for Windows Explorer specifically states that it may not support all the naming conventions of the underlying file systems. Of course, it would be entirely reasonable to expect it to fully support the naming conventions of any Microsoft file system, but MS seems to operate under an unusual definition of "reasonable"...

    You don't need a script to create such folders, just the command prompt. This will work just fine: mkdir ".\Space \". Even better, dir /X may fail to reveal this as a long filename (by definition, any filename containing a space is a long filename even if it's eight or fewer characters in length), in which case there's no way to use dir to make it obvious there's an abomination in the list of folders.

    Note that mkdir "Space " won't give you the trailing space in the folder name, at least not on anything earlier than Vista or 2003 (never tried this trick on anything after XP). Similarly, rmdir "Space " fails to remove the directory, but you can remove it with rmdir ".\Space \".

    File this under "Stupid cmd.exe tricks".

    Speaking of which, I got to try that in server 2008, and Windows 7.. Its a fun way to use 3 lines of script to really piss off your IT co-workers...

    Heh, create three sibling directories named "stuck" where they have one, two, and three trailing spaces - then sit back and watch the consternation. It will look like there are three folders with identical names under the same folder (impossible!), and none of them can be deleted with Explorer. Pure, evil fun.

    - T