IE Safari and Chrome fooled by bogus Paypal SSL certification

Discussion in 'News Discussion' started by HardwareHeaven, Oct 6, 2009.

  1. HardwareHeaven

    HardwareHeaven Administrator Staff Member

    Joined:
    May 6, 2002
    Messages:
    32,274
    Likes Received:
    163
    Trophy Points:
    88
    Yesterday a hacker published a counterfeit secure sockets layer certificate that exploits a hole in a Microsoft library used by three leading browsers - IE, Safari and Chrome. Although this certificate is fake it appears to be completely legitimate and fools the browsers into thinking nothing is wrong. The bug was actually discovered over two months ago but Microsoft have been slow in applying a bug fix.

    Yesterday's release of the null prefix certificate for Paypal is a very serious issue to online security because it makes it easy for net conmen to defeat one of the net's oldest and most relied upon defenses against specific attacks. Paypal and many other websites use these certificates to generate a digital signature that proves login pages are not fake - meanwhile a hacker is sitting between the website and the end user reading his login information.

    The certificate exploits a security hole based around the Microsoft application programming interface known as CryptoAPI, which is used by Internet Explorer, Apple Safari and Google Chrome to parse a website's SSL certificates. This certificate may be forged but it can be used with a hacking tool called SSL Sniff to cause all of these browsers to display a faked page with no warnings whatsoever even when the address is 'secure" (https). Windows users are the only ones at risk.

    Paypal have made a public announcement that they are aware of the issue and they are putting resources into fixing the Microsoft issue on the Paypal side. As yet this is not in place so caution should be taken.

    Mozilla developers patched the hole a few days after a hacker demonstrated the issue at the Black Hat security conference in Las Vegas and Apple have also fixed the issue shortly afterward. The issue is totally focused on Microsoft windows users and the only way to remain fully protected against this massive security risk it to use versions 3.0.13 or 3.5 of Firefox. DriverHeaven will keep you posted as to when Microsoft fix the CrypoAPI.

    -Allan Campbell, Heaven Media
     
  2. craig5320

    craig5320 Well-Known Member

    Joined:
    May 7, 2002
    Messages:
    9,676
    Likes Received:
    217
    Trophy Points:
    88
    Very worrying indeed, I hope MS fix it fast!
     
  3. Teme

    Teme Super Moderator

    Joined:
    Dec 22, 2004
    Messages:
    8,496
    Likes Received:
    174
    Trophy Points:
    73
    You need to wait until the next patch Tuesday ..... Unless MS release the fix as soon as they get it done.
     
  4. clanman

    clanman New Member

    Joined:
    Dec 15, 2008
    Messages:
    151
    Likes Received:
    13
    Trophy Points:
    0
    My friend had his paypal account hacked because of this and paypal really looked after him by giving him his money back. Nightmare however, never knew it was due to IE issues. Thank god I use firefox as I am always in my paypal account via ebay.

    MS need to sort this out, they actually needed to do it weeks ago.
     
  5. simonw

    simonw New Member

    Joined:
    Apr 15, 2009
    Messages:
    309
    Likes Received:
    20
    Trophy Points:
    0
    MS need to get their act together, this is a serious issue. I'm thankful that I use Linux for my web browsing needs.
     

Share This Page

visited