Peaches Posted October 7, 2009 Report Share Posted October 7, 2009 6 October 2009, 16:22 Forged PayPal certificate fools IE, Chrome and Safari The posting of a trick SSL certificate for www.paypal.com and its pertaining private key on the Full Disclosure security mailing list should finally force Microsoft, Google and Apple into releasing updates to fix the NULL prefix vulnerability. Phishers, for example, could use the certificate to disguise their servers as legitimate banking servers – which would only be detected by subjecting the certificate to closer scrutiny. The certificate could also be used for man-in-the-middle attacks in local networks. Inserting a null character in a certificate's common name will prompt vulnerable browsers to only read up to this character, although the certificate may have actually been issued for a different domain. The current case tricks a browser into thinking that it has detected a valid certificate for www.paypal.com. The hole has been known to exist in various browsers for several weeks. So far, of all the popular browsers, only Firefox and Opera have not fallen for the trick. More at Heise security - http://www.h-online.com/security/Forged-Pa...i--/news/114403 Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.