Monday, October 5, 2009

SSL Null Prefix Attack in the Wild

Moxie Marlinspike discussed the SSL Null Prefix Attack several weeks ago at BlackHat. Due to flaws in the handling of SSL Certificates, at the time of his talk, all browsers were vulnerable. Shortly after the talk Mozilla patched Firefox for the flaw. Unfortunately, other browsers have not yet followed suit.

What does this mean for you? There is now a ficiticious paypal certificate in the wild. The certificate looks like this:\

If you are using a browser other than Firefox, your browser will determine the above certificate to be valid for SSL connections to This means that an attacker with this certificate can execute a Man-In-The-Middle attack against your connections to PayPal and your browser will not alert you to anything. Again, because the non-FF browsers believe the certificate to be legitimate.


It's time for the other browsers to catch up and patch this flaw ASAP.

-Michael Coates