[vox] Article link: "Wildcard certificate spoofs web authentication"
Bill Kendrick
nbs at sonic.net
Thu Jul 30 07:51:51 PDT 2009
Wildcard certificate spoofs web authentication
SSL felled by null string
By Dan Goodin
The Register, Enterprise Security, 30th July 2009 03:13 GMT
http://www.theregister.co.uk/2009/07/30/universal_ssl_certificate/
The attack [...] exploits a weakness in the process for generating secure
sockets layer certificates. It works by adding a null string character
to several certificate fields, a technique that tricks browsers and
other SSL-enabled programs into misinterpreting the domain name that
is being authenticated.
...
At the moment, version 3.5 of Firefox is the only browser that is
protected against the attack, although Sassaman said Internet Explorer
provides some protection too.
FWIW, Firefox 3.5 is available in Ubuntu 9.04 as the "firefox-3.5" package.
(The plain "firefox" package currently gives you Firefox 3.0.12.)
--
-bill!
Sent from my computer
More information about the vox
mailing list