Null-Prefix SSL Certificate For PayPal Released

Posted by kdawson on Tuesday October 6, 2009 @10:45AM from the don't-mess-with-mister-inbetween dept.

An anonymous reader writes "Nine weeks after Moxie Marlinspike presented at Defcon 17, null-prefix certificates that exploit the SSL certificate vulnerability are beginning to appear. Yesterday, someone posted a null-prefix certificate for www.paypal.com on the full-disclosure mailing list. In conjunction with sslsniff, this certificate can be used to intercept communication to PayPal from all clients using the Windows Crypto API, for which a patch is still not available. This includes IE, Chrome, and Safari on Windows. What's worse, because of the OCSP attack that Moxie also presented at Defcon, this certificate cannot be revoked." Update: 10/06 23:19 GMT by KD: Now it seems that PayPal has suspended Marlinspike's account.

2 of 351 comments (clear)

Min score:

Reason:

Sort:

Re:In other news... by SignOfZeta · 2009-10-06 13:48 · Score: 0, Offtopic

2010, the year of that win you First National Lottery of Nigeria, headquartered in an English-speaking embassy for purposes translation. To claim the money, please use our secure website [paypal.com] with your name, address, bank account information, and Social Security number to claim you're prize.
Re:In other news... by promythyus · 2009-10-06 21:19 · Score: 0, Offtopic

THAT cycle never ends, it will permanently be the bane all of non-single men