Deprecated: Assigning the return value of new by reference is deprecated in /home/mhd-01/www.newsglobal.eu/htdocs/wp-includes/cache.php on line 36

Deprecated: Assigning the return value of new by reference is deprecated in /home/mhd-01/www.newsglobal.eu/htdocs/wp-includes/query.php on line 21

Deprecated: Assigning the return value of new by reference is deprecated in /home/mhd-01/www.newsglobal.eu/htdocs/wp-includes/theme.php on line 540

Deprecated: Assigning the return value of new by reference is deprecated in /home/mhd-01/www.newsglobal.eu/htdocs/wp-content/plugins/wp-o-matic/wpomatic.php on line 1830
Null Character Hack Allows SSL Spoofing | Newsglobal
 

Search

Rss Posts

Rss Comments

Login

 

Null Character Hack Allows SSL Spoofing

Jul 31

eldavojohn writes “Two researchers, Dan Kaminsky and Moxie Marlinspike, came up with exact same way to fake being a popular website with authentication from a certificate authority. Wired has the details: ‘When an attacker who owns his own domain — badguy.com — requests a certificate from the CA, the CA, using contact information from Whois records, sends him an email asking to confirm his ownership of the site. But an attacker can also request a certificate for a subdomain of his site, such as Paypal.com.badguy.com, using the null character in the URL. The CA will issue the certificate for a domain like PayPal.com.badguy.com because the hacker legitimately owns the root domain badguy.com. Then, due to a flaw found in the way SSL is implemented in many browsers, Firefox and others theoretically can be fooled into reading his certificate as if it were one that came from the authentic PayPal site. Basically when these vulnerable browsers check the domain name contained in the attacker’s certificate, they stop reading any characters that follow the ” in the name.’”

Read more of this story at Slashdot.


View source

Technology

Post a comment