Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security Internet Explorer Mozilla The Internet Technology

Null-Prefix SSL Attacks Enabled In New sslsniff 48

Posted by timothy from the ready-or-not-here-it-comes dept.
An anonymous reader writes "Moxie Marlinspike, who recently published new attacks on SSL at Defcon 17, seems to have released the new version of sslsniff which supports these attacks. While the release appears to coincide with a patch from Mozilla, every product that uses the Microsoft CryptoAPI is still vulnerable, including Internet Explorer and Outlook. The new version of sslsniff also supports built-in modes for hijacking software auto-updates that depend on SSL, and apparently includes techniques for defeating OCSP as well — making the elimination of existing null-prefix certificates difficult."
This discussion has been archived. No new comments can be posted.

Null-Prefix SSL Attacks Enabled In New sslsniff More

Null-Prefix SSL Attacks Enabled In New sslsniff

Comments Filter:

  • The actual paper (Score:4, Informative)

    by Anonymous Coward on Tuesday August 04, 2009 @10:45AM (#28940999)

    Here's a link to the actual paper on the topic:
    http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf

  • Re:Appears to coincide.. (Score:3, Informative)

    by The MAZZTer ( 911996 ) <megazzt&gmail,com> on Tuesday August 04, 2009 @10:48AM (#28941043) Homepage
    Microsoft issue a fix before Mozilla? I don't think you understand how "Patch Tuesday" works.

  • Re:Appears to coincide.. (Score:1, Informative)

    by Anonymous Coward on Tuesday August 04, 2009 @11:26AM (#28941703)

    If this guy didn't inform anyone except Mozilla...

    From the security advisory at Mozilla [mozilla.org]

    Mozilla would like to thank Dan and the Microsoft Vulnerability Research team for coordinating a multiple-vendor response to this problem.

    Looks like MS was informed (as they certainly should have been), just considerably slower on the fix (imagine that?). How long should have Mozilla waited before releasing their fix? Until after Windows 7 ships and MS decides they can afford some dev cycles to go patch WinXP?

  • Re:Appears to coincide.. (Score:5, Informative)

    by gnasher719 ( 869701 ) on Tuesday August 04, 2009 @11:41AM (#28942001)

    You're absolutely right. If this guy didn't inform anyone except Mozilla, he's bringing browsers wars to a new low, by being willing to expose a majority of web users involved in e-commerce and other "secure" online access to his vulnerability for whatever the lead time of patching is, but exempting users of his favorite browser. IF that's what he did, that's ridiculous, childish, and petty.

    Reading the article, there seemed to be a good reason to inform Mozilla first, because they were the most vulnerable. Apparently, to spoof say Internet Explorer, you need a certificate for "www.ebay.com\0.evilhackers.com", one for "www.amazon.com\0.evilhackers.com" and so on, but to spoof Mozilla-based browsers, a certificate for "*\0.evilhackers.com" will be accepted for _every_ site in existence.

Slashdot Top Deals

"Everyone's head is a cheap movie show." -- Jeff G. Bone

Close