Discover Cryptography News
Forged PayPal certificate fools IE, Chrome and Safari
The posting of a trick SSL certificate for www.paypal.com and its pertaining private key on the Full Disclosure security mailing list should finally force Microsoft, Google and Apple into releasing updates to fix the NULL prefix vulnerability. Phishers, for example, could use the certificate to disguise their servers as legitimate banking servers
Inserting a null character in a certificate's common name will prompt vulnerable browsers to only read up to this character, although the certificate may have actually been issued for a different domain. The current case tricks a browser into thinking that it has detected a valid certificate for www.paypal.com. The hole has been known to exist in various browsers for several weeks. So far, of all the popular browsers, only Firefox and Opera have not fallen for the trick.
The link for this article located at H Security is no longer available.