Thread: Fake SSL cert cannot be revoked
View Single Post
Old 10-06-2009, 10:22 PM   #1 (permalink)
awesometbn
More whining
 
awesometbn's Avatar
 
Join Date: Oct 2008
Location: USA
Posts: 256
iTrader: 1 / 100%
awesometbn has a reputation beyond reputeawesometbn has a reputation beyond reputeawesometbn has a reputation beyond reputeawesometbn has a reputation beyond reputeawesometbn has a reputation beyond reputeawesometbn has a reputation beyond reputeawesometbn has a reputation beyond reputeawesometbn has a reputation beyond reputeawesometbn has a reputation beyond reputeawesometbn has a reputation beyond reputeawesometbn has a reputation beyond repute
Darkside Fake SSL cert cannot be revoked
Null-Prefix SSL Certificate For PayPal Released

A bit of bad news for anyone who still trusts the padlock icon in their browser without taking a few precautions. This SSL flaw has been known for a while, and became especially popular after a presentation at Defcon.

Quote:
The take-away from all of this is that if you use IE, Chrome or Safari for Windows to browse SSL-protected parts of PayPal, there's no way to know if they are genuine - at least until Microsoft gets around to fixing the bug. And because it's entirely possible null-prefix certificates for other sites have been issued more quietly, there's no way to rely on SSL at all for those browsers.
Sources:
hxxp://it.slashdot.org/story/09/10/06/2118211/Null-Prefix-SSL-Certificate-For-PayPal-Released
hxxps://www.noisebridge.net/pipermail/noisebridge-discuss/2009-September/008400.html
hxxp://www.theregister.co.uk/2009/10/05/fraudulent_paypay_certificate_published/
__________________
Let us help you run your own music teaching studio. Trombone or guitar or piano or *any* instrument you can teach! A more efficient studio means more money in your pocket.

Reason for avatar: http://www.wickedfire.com/sell-buy-t...-pictures.html
awesometbn is offline   Reply With Quote