Uncorrected vulnerability allows SSL certificate spoofing

Lairanje SSL certifikataEven nine weeks after hacker Marlinspike demonstrated how to spoof authentication certificates for virtually any website on the internet, Microsoft still hasn't patched the underlying vulnerability.

The bug, which resides in an application programming interface known as CryptoAPI, causes applications to be tricked by fraudulent SSL (secure sockets layer) certificates. It stems from code that causes browsers, email clients, and other SSL-enabled apps to ignore all characters following the "\0" characters (which are used to denote the end of a sequence of characters in C-based languages). The attacker can use the bug to impersonate websites, VPNs (virtual private networks), and email servers by adding a “null” character to the prefix of an address in a legitimate SSL credential. Among the browsers that rely on the Microsoft library to parse SSL certificates are Internet Explorer, Google Chrome, and Apple Safari. Firefox browser, by contrast, fixed vulnerabilities a few days after Marlinspike's presentation at the Black Hat security conference. Similar attack, wildcard SSL certificate, was published by hacker Jacob Appelbaum, and it tricks older versions of the Network Security Services library into authenticating any website on the Internet. Both attacks are serious because even if a fraudulent certificate is later revoked, there are ways to fool browsers into believing it's still valid thought separate attack targeting the TheRegistar web site.