Defeating SSL Vulnerability Remain unfixed
It has been now Nine weeks since Moxie Marlinspike demonstrated the “new” way of attacking SSL at the Black Hat security conference by the help of his tool, called SSLstrip he was able to make a man-in-the-middle attack on normal, insecure http traffic and replaces links to secure https pages with normal http, so after a user submit the login and password or credit card credential the attacker can find all details in clear without the notice of victim.
Well Microsoft Internet explorer still not fixed to this vulnerability as well as other browser that support CryptoAPI, so here we have a great risk for our resources like VPN and Mail servers.
Actually the Bug ignore all characters like “/” and “0” but organization looks at the domain name, with or without these characters.
So an attacker can create a valid certificate name for your site and use it for example we need to issue a certificate for thoughtcrime.org than the string will be as follow:
Now the browsers that process SSL-Certificate over Microsoft library are Google Chrome, Apple Safari and Internet Explorer. On the other hand developers of Firefox fixed this Bug just few days after the Black Hat presentation.
make sure you subscribe to my RSS feed!