Slashdot Mirror


Null-Prefix SSL Certificate For PayPal Released

An anonymous reader writes "Nine weeks after Moxie Marlinspike presented at Defcon 17, null-prefix certificates that exploit the SSL certificate vulnerability are beginning to appear. Yesterday, someone posted a null-prefix certificate for www.paypal.com on the full-disclosure mailing list. In conjunction with sslsniff, this certificate can be used to intercept communication to PayPal from all clients using the Windows Crypto API, for which a patch is still not available. This includes IE, Chrome, and Safari on Windows. What's worse, because of the OCSP attack that Moxie also presented at Defcon, this certificate cannot be revoked." Update: 10/06 23:19 GMT by KD: Now it seems that PayPal has suspended Marlinspike's account.

5 of 351 comments (clear)

  1. Paypal uses an EV cert. by Cerebus · · Score: 0, Troll

    And since the null-termination cert *doesn't chain to an EV provider* it's not much of an exploit, really. No green bar, not safe.

    --
    -- Cerebus
  2. Idiot or Shill by omb · · Score: -1, Troll

    It is M$ again, and you are an idiot, see the report, the cert WAS valid as issued and then patched

    and 9 weeks later that wonder of the modern world is sitting with isnt thumb up its bum ruminating.

    This all down to M$ and no one else.

    www.paypal.com\0ssl.secureconnection.cc

    its not \0 it is the null byte binary 00000000

  3. Re:Such dependancies annoy nLite users! by Anonymous Coward · · Score: -1, Troll

    GOD, THIS!

    I wish Google would move away from depending on the crap there.
    This is the one really weak part in the entire Chrome browser, depending on WINDOWS.

  4. uber lolz by dissy · · Score: -1, Troll

    This is hilarious.

    So paypal violates their own privacy policy by not using working encryption, decides to commit the crime of theft against the one person trying to get paypal to stop violating their own policy, and quotes the reason is HE somehow caused them to not use working encryption!

    I would so love to see some of the paypal directors in prison, like any of us would be if we committed the same crimes.

  5. Re:Such dependancies annoy nLite users! by Anonymous Coward · · Score: -1, Troll

    I don't know.

    Treat niggers like real people would definately be up there.