Comments on: SSL exploit turns Firefox into malware distributor http://www.formortals.com/ssl-exploit-turns-firefox-into-malware-distributor/ Because technology isn't just for geeks Tue, 24 Jan 2012 20:02:45 +0000 hourly 1 http://wordpress.org/?v=3.0.3 By: Programming news: Firefox SSL flaw, Rails BugMash event, browser compatibility on Digg | Programming and Development | TechRepublic.com http://www.formortals.com/ssl-exploit-turns-firefox-into-malware-distributor/comment-page-1/#comment-2016 Programming news: Firefox SSL flaw, Rails BugMash event, browser compatibility on Digg | Programming and Development | TechRepublic.com Tue, 04 Aug 2009 05:59:23 +0000 http://www.formortals.com/?p=648#comment-2016 [...] all?) unnamed Certificate Authority (CA) validates the domain name in SSL certificate creation, Firefox is vulnerable to a flaw that tricks it into accepting valid SSL certificates issued to other.... At the heart of the matter is that the CA(s) are allowing certificate requests to be processed [...] [...] all?) unnamed Certificate Authority (CA) validates the domain name in SSL certificate creation, Firefox is vulnerable to a flaw that tricks it into accepting valid SSL certificates issued to other…. At the heart of the matter is that the CA(s) are allowing certificate requests to be processed [...]

]]> By: George Ou http://www.formortals.com/ssl-exploit-turns-firefox-into-malware-distributor/comment-page-1/#comment-1964 George Ou Fri, 31 Jul 2009 18:26:05 +0000 http://www.formortals.com/?p=648#comment-1964 It's not just open source. Everyone screwed this implementation of X.509 up including Microsoft Crypto API and just about every other implementation of SSL. It’s not just open source. Everyone screwed this implementation of X.509 up including Microsoft Crypto API and just about every other implementation of SSL.

]]> By: nucrash http://www.formortals.com/ssl-exploit-turns-firefox-into-malware-distributor/comment-page-1/#comment-1955 nucrash Fri, 31 Jul 2009 12:28:56 +0000 http://www.formortals.com/?p=648#comment-1955 Well, that's a failing by Open Source. I would hope to see an update, but would be afraid to use the auto update tool of FF. :/ Well, that’s a failing by Open Source. I would hope to see an update, but would be afraid to use the auto update tool of FF. :/

]]> By: George Ou http://www.formortals.com/ssl-exploit-turns-firefox-into-malware-distributor/comment-page-1/#comment-1941 George Ou Thu, 30 Jul 2009 22:08:23 +0000 http://www.formortals.com/?p=648#comment-1941 <a href="#comment-1936" rel="nofollow">@Justin James </a> Well, the CAs use OpenSSL which does not treat NULL CHAR as an end of string. The clients on the other hand such as Crypto API do treat NULL CHAR as end of string. That's your disconnect right there. Now the CAs can probably change their signing application to reject anything with a NULL CHAR in the subject line which would probably make sense since there's no reason to have a character that the DNS system doesn't recognize anyways. @Justin James

Well, the CAs use OpenSSL which does not treat NULL CHAR as an end of string. The clients on the other hand such as Crypto API do treat NULL CHAR as end of string. That’s your disconnect right there.

Now the CAs can probably change their signing application to reject anything with a NULL CHAR in the subject line which would probably make sense since there’s no reason to have a character that the DNS system doesn’t recognize anyways.

]]> By: Justin James http://www.formortals.com/ssl-exploit-turns-firefox-into-malware-distributor/comment-page-1/#comment-1936 Justin James Thu, 30 Jul 2009 18:52:01 +0000 http://www.formortals.com/?p=648#comment-1936 That is a truly nasty bug. Great question... why would a CA sign a cert with a domain name that is not a valid domain name? Once again, poor programming... J.Ja That is a truly nasty bug. Great question… why would a CA sign a cert with a domain name that is not a valid domain name? Once again, poor programming…

J.Ja

]]>