Null-Prefix SSL Certificate For PayPal Released 351
An anonymous reader writes "Nine weeks after Moxie Marlinspike presented at Defcon 17, null-prefix certificates that exploit the SSL certificate vulnerability are beginning to appear. Yesterday, someone posted a null-prefix certificate for www.paypal.com on the full-disclosure mailing list. In conjunction with sslsniff, this certificate can be used to intercept communication to PayPal from all clients using the Windows Crypto API, for which a patch is still not available. This includes IE, Chrome, and Safari on Windows. What's worse, because of the OCSP attack that Moxie also presented at Defcon, this certificate cannot be revoked." Update: 10/06 23:19 GMT by KD: Now it seems that PayPal has suspended Marlinspike's account.
In other news... (Score:4, Funny)
Wow? (Score:4, Funny)
Moxie Marlinspike - that's a goblin name if I ever saw one.
Re:In other news... (Score:3, Funny)
2010, Year of the Linux Desktop?
Re:In other news... (Score:4, Funny)
2010 is the year of the phished desktop :3
Re:What about the CA that issued it? (Score:1, Funny)
But regular expressions are hard!
Re:In other news... (Score:4, Funny)
Re:"...PayPal has suspended Marlinspike's account. (Score:5, Funny)
If you don't shoot the bearers of bad news, people will keep bringing it to you.
Shooting whom? (Score:5, Funny)
Kirk: How is the messenger, Bones?
McCoy: He's dead, Jim.
Kirk: Well, I suppose our mission here is accomplished.
McCoy: Yes, I suppose you're right.
Re:In other news... (Score:3, Funny)
Re:In other news... (Score:1, Funny)
OTOH, I don't have any Libertarians riding fireballs into my house.
escape-characters poorly misunderstood? (Score:4, Funny)
I dunno, they seem fully misunderstood in this case.
Re:Heh... surprised? (Score:3, Funny)
So am I more secure if I sing myself instead of the computer letting it do for me?
Does it matter which song I sing? I guess "ring of fire" would make a good firewall?
SCNR :-)
Re:Paypal uses an EV cert. (Score:3, Funny)
> Never type a password into a site unless you see a lock icon in your browser.
So how'd you log into Slashdot?
Re:Yay Choices! (Score:1, Funny)
From this information I have already deduced your IP address is 127.0.0.1
Re:In other news... (Score:2, Funny)
Neither does FF on Windows, don't know about Opera though. Doubtless a fanboi will be along with the news shortly.