LT Panel
RT Panel
Just Visiting
Monday | October 22, 2018
Popular Review Links:
IE, Safari and Chrome fooled by bogus Paypal SSL certification

IE, Safari and Chrome fooled by bogus Paypal SSL certification

Yesterday a hacker published a counterfeit secure sockets layer certificate that exploits a hole in a Microsoft library used by three leading browsers – IE, Safari and Chrome. Although this certificate is fake it appears to be completely legitimate and fools the browsers into thinking nothing is wrong. The bug was actually discovered over two months ago but Microsoft have been slow in applying a bug fix.

Yesterday’s release of the null prefix certificate for Paypal is a very serious issue to online security because it makes it easy for net conmen to defeat one of the net’s oldest and most relied upon defenses against specific attacks. Paypal and many other websites use these certificates to generate a digital signature that proves login pages are not fake – meanwhile a hacker is sitting between the website and the end user reading his login information.

The certificate exploits a security hole based around the Microsoft application programming interface known as CryptoAPI, which is used by Internet Explorer, Apple Safari and Google Chrome to parse a website’s SSL certificates. This certificate may be forged but it can be used with a hacking tool called SSL Sniff to cause all of these browsers to display a faked page with no warnings whatsoever even when the address is ‘secure" (https). Windows users are the only ones at risk.

Paypal have made a public announcement that they are aware of the issue and they are putting resources into fixing the Microsoft issue on the Paypal side. As yet this is not in place so caution should be taken.

Mozilla developers patched the hole a few days after a hacker demonstrated the issue at the Black Hat security conference in Las Vegas and Apple have also fixed the issue shortly afterward. The issue is totally focused on Microsoft windows users and the only way to remain fully protected against this massive security risk it to use versions 3.0.13 or 3.5 of Firefox. DriverHeaven will keep you posted as to when Microsoft fix the CrypoAPI.

-Allan Campbell, Heaven Media

About Author

Stuart Davidson

It appears you have AdBlocking activated

Unfortunately AdBlockers interfere with the shopping cart process

To continue with the payment process can we ask you to

deactivate your AdBlocking plugin

or to whitelist this site. Then refresh the page

We thank you for your understanding

Hardwareheaven respect you right to employ plugins such as AdBlocker.
We would however ask you to consider whitelisting this site
We do not allow intrusive advertising and all our sponsors supply items
relevant to the content on the site.

Hardwareheaven Webmaster