There has been a lot of noise about over the past few days about attacking SSL using counterfeit certificates. The story gained momentum when a fake certificate for www.paypal.com was posted to the net with Paypal banning the author of the exploit from their service a few days later. It is possible to create the false certificate because certain browsers that rely on the Microsoft CryptoAPI fail to correctly interpret a null character in the common name. There seems to be much confusion about the seriousness of the vulnerability and how to exploit it. If you have a spare hour, I recommend watching the original Black Hat presentation by Moxie Marlinspike entitled More Tricks for SSL, which examines techniques for attacking SSL traffic including using certificates with the null byte in the common name. It includes examples of how such attacks can be used to harvest real data.
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment