[http://www.h-online.com/security/SSL-trick-certificate-published--/news/114361]
Time to test your browsers, esp those on mobile phones. ===== SSL trick certificate published On the Noisebridge hacker mailing list, security specialist Jacob Appelbaum has published an SSL certificate and pertinent private key that together allow web servers to avoid triggering an alert in vulnerable browsers - irrespective of the domain for which the certificate is submitted. Phishers, for example, could use the certificate to disguise their servers as legitimate banking servers – which would only be detectable by subjecting the certificate to closer scrutiny. [...] Appelbaum didn't enter the zero between the domain name and the name of Marlinspike's thoughtcrime.org domain. Instead, he entered *\00thoughtcrime.noisebridge.net, effectively creating a wild card certificate for arbitrary domain names: CN= *\00thoughtcrime.noisebridge.net OU = Moxie Marlinspike Fan Club O = Noisebridge L = San Francisco ST = California C = US [...] users should not automatically assume that their applications no longer contain the hole. Mobile phone vendor RIM, for instance, only released the certificate update for its BlackBerry products yesterday. [...] ===== -- Soh Kam Yung my Google Reader Shared links: (http://www.google.com/reader/shared/16851815156817689753) my Google Reader Shared SFAS links: (http://www.google.com/reader/shared/user/16851815156817689753/label/sfas) _______________________________________________ LUGS Mailing list - [email protected] List FAQ: http://wiki.lugs.org.sg/LugsMailingListFaq Info page: http://www.lugs.org.sg/mailman/listinfo/slugnet To unsubscribe send an empty email to: [email protected]
