Webmaster rambling and mental notes
Home | Profile | Archives | Friends
Null Character Hack Allows SSL Spoofing
7/30/2009

Eldavojohn writes "Two researchers, Dan Kaminsky and Moxie Marlinspike, came up with exact same way to fake being a popular website with pawn from a permit authority. Wired has the details: 'When an attacker who owns his own domain — badguy.com — requests a check from the CA, the CA, using contact info* from Whois records, sends him an email asking to confirm his proprietary rights of the site. But an attacker can also request a diploma for a subdomain of his site, such as Paypal.com.badguy.com, using the null influential person.
eminence in the URL. The CA will issue the ticket for a domain like PayPal.com.badguy.com because the hacker legitimately owns the root domain badguy.com. Then, due to a flaw found in the way SSL is implemented in many browsers, Firefox and others theoretically can be fooled into reading his permit as if it were one that came from the authentic PayPal site. fundamentally when these open browsers check the domain name contained in the attacker's certificate, they stop reading any symbols that follow the " in the name.'"

Read more of this story at Slashdot.




More: - Continued here

Mark

Share |
(Posted in Nerd)
Share and enjoy
  • Digg
  • del.icio.us
  • blinkbits
  • BlinkList
  • BlogMemes
  • blogmarks
  • DZone
  • Fark
  • Furl
  • Netvouz
  • NewsVine
  • Reddit
  • Slashdot
  • Smarking
  • Spurl
  • StumbleUpon
  • Taggly
  • Technorati
  • YahooMyWeb
Post Comment

Notify me of followup comments via e-mail.

Entry 1 of 6209
Last Page | Next Page