Null-Prefix SSL Attacks Enabled In New sslsniff 48
An anonymous reader writes "Moxie Marlinspike, who recently published new attacks on SSL at Defcon 17, seems to have released the new version of sslsniff which supports these attacks. While the release appears to coincide with a patch from Mozilla, every product that uses the Microsoft CryptoAPI is still vulnerable, including Internet Explorer and Outlook. The new version of sslsniff also supports built-in modes for hijacking software auto-updates that depend on SSL, and apparently includes techniques for defeating OCSP as well — making the elimination of existing null-prefix certificates difficult."
Appears to coincide.. (Score:5, Insightful)
appears to coincide with a patch from Mozilla
If some guy waited until Microsoft fixed a vulnerability to release a patch, but not before Mozilla fixed the patch, then we would all be crying foul.
Since it's the other way around, nobody will have a problem I'm sure.
Re:Just to make things easier in the future (Score:4, Insightful)
every product [...] is still vulnerable,
Fixed.
Re:Appears to coincide.. (Score:3, Insightful)
Evidently Mozilla was notified as early as February. What makes you think that Microsoft wasn't notified at the same time?