Bye bye SSL protection, hello man in the middle!

There’s a scary article on Slashdot about a SSL attack that was revealed┬áthat this year’s DEFCON┬áhacker conference. Now there’s been a certificate issued for PayPal which aids in exploiting the hole. This is the null-prefix attack!

The Register

SSL Hacking tools here. And while we are at it..let’s defeat OCSP too, so revoked certificates aren’t checked by the client!

Bottom line, until MS fixes their Crypto API, if you are super paranoid then use Firefox or Safari on Mac (not on Windows).

Update: The October 2009 patches from Microsoft close this security hole. So be sure you run Windows update and apply all the latest patches.

Print Friendly, PDF & Email

Related Posts

Notify of
Inline Feedbacks
View all comments