Results 1 to 8 of 8
  1. #1
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    968
    Thanks
    19
    Thanked 4 Times in 4 Posts
    IE, Chrome, Safari duped by bogus PayPal SSL cert
    Fraudulent credential, real risk
    By Dan Goodin in San Francisco
    5th October 2009 23:24 GMT

    If you use the Internet Explorer, Google Chrome or Apple Safari browsers during PayPal transactions, now would be a good time to switch over to the decidedly more secure Firefox alternative.

    That's because a hacker on Monday published a counterfeit secure sockets layer certificate that exploits a gaping hole in a Microsoft library used by all three of those browsers. Although the certificate is fraudulent, it appears to all three to be a completely legitimate credential vouching for the online payment service. The bug was disclosed more than nine weeks ago (http://www.theregister.co.uk/2009/07...l_certificate/), but Microsoft has yet to fix (http://www.theregister.co.uk/2009/10...rypto_ssl_bug/) it.

    Monday's release of the so-called null-prefix certificate (http://seclists.org/fulldisclosure/2009/Oct/87) for PayPal is a serious blow to online security because it makes it trivial for cybercrooks to defeat one of the web's oldest and most relied upon defenses against man-in-the-middle attacks. PayPal and thousands of other financial websites use the certificates to generate a digital signature that mathematically proves login pages aren't forgeries that were set up by con artists who are sitting in between the user and the website he's trying to view.

    ...

    Fortunately, Mozilla developers patched the hole a few days after Marlinspike's demo and Apple followed suit a few weeks later. That means if you're on Windows, the only way to protect yourself against this critical vulnerability is to use versions 3.5 or 3.0.13 or later of Firefox. At least until Microsoft fixes the CryptoAPI, whenver that may be.
    http://www.theregister.co.uk/2009/10/05/fr...cate_published/

  2. #2
    Bronze Lounger IanWilson's Avatar
    Join Date
    Dec 2000
    Location
    Bristol, United Kingdom
    Posts
    1,523
    Thanks
    0
    Thanked 1 Time in 1 Post
    [quote name='ibe98765' post='796538' date='06-Oct-2009 03:08']http://www.theregister.co.uk/2009/10/05/fr...cate_published/[/quote]
    and what of Opera?

    Ian

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    [quote name='IanWilson' post='796555' date='06-Oct-2009 01:12']and what of Opera?[/quote]
    Is it a bad sign for Opera users that "black hat" hackers don't even report whether the browser is vulnerable? There might be a "safe" demo site on the web to test Opera, but I don't volunteer to look for it.

  4. #4
    4 Star Lounger
    Join Date
    Jan 2001
    Location
    Dundee, Scotland
    Posts
    404
    Thanks
    0
    Thanked 0 Times in 0 Posts
    [quote name='IanWilson' post='796555' date='06-Oct-2009 09:12']and what of Opera?

    Ian[/quote]

    Have a look here, Ian

    and compare that with here, for example...

    edited to add snide remark!
    John (Unreconstructed Jacobite)

  5. #5
    Bronze Lounger IanWilson's Avatar
    Join Date
    Dec 2000
    Location
    Bristol, United Kingdom
    Posts
    1,523
    Thanks
    0
    Thanked 1 Time in 1 Post
    [quote name='jonWallace' post='796848' date='07-Oct-2009 22:26']Have a look here, Ian

    and compare that with here, for example...

    edited to add snide remark![/quote]
    So we can feel a little bit smug, then.

    Ian

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    [quote name='jonWallace' post='796848' date='07-Oct-2009 14:26']Have a look here, Ian

    and compare that with here, for example... [/quote]
    I don't know that Secunia has an advisory for IE, Chrome or Safari for this issue yet (I couldn't find it). In which case, the absence of an advisory for Opera is not very compelling evidence that is not affected...

  7. #7
    4 Star Lounger
    Join Date
    Jan 2001
    Location
    Dundee, Scotland
    Posts
    404
    Thanks
    0
    Thanked 0 Times in 0 Posts
    [quote name='jscher2000' post='796877' date='08-Oct-2009 02:48']I don't know that Secunia has an advisory for IE, Chrome or Safari for this issue yet (I couldn't find it). In which case, the absence of an advisory for Opera is not very compelling evidence that is not affected...[/quote]

    You're right. Bad research on my part.

    However, the problem revolves around Microsoft's CryptoAPI, which Opera and Mozilla don't rely on.
    John (Unreconstructed Jacobite)

  8. #8
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    The patch was released yesterday: Microsoft Security Bulletin MS09-056 - Important: Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571). If you use automatic updates, you may already have it installed.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •