Update:
As mentioned, Mozilla has pushed the patches to Firefox users. Both the 3.5 and 3.x branches have patches available for download that address the mentioned flaws. Users are urged to download Firefox 3.5.2 or 3.0.13 to ensure protection.
"As part of Mozilla’s ongoing stability and security update process, Firefox 3.5.2 and Firefox 3.0.13 are now available for Windows, Mac, and Linux as free downloads. We strongly recommend that all Firefox users upgrade to this latest release," Mozilla said in a statement.
"If you already have Firefox 3.5 or Firefox 3, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting "Check for Updates…" from the Help menu."
Original Article:
Last week, during BlackHat in Las Vegas, two talks focused on problems with SSL. The separate talks, one given by Moxie Marlinspike and one by Dan Kaminsky, covered various issues, but each earned a good deal of hype in the press. After the talks, VeriSign quickly pointed out that it had preemptively protected clients from the various attack methods discussed.
Moxie Marlinspike, detailing the latest additions to his sslstrip tool, talked about the use of null characters and various other ways to fool Web browsers and other pieces of relying software into believing a certificate has been issued to a different domain than the one to which is was actually issued.
“I'm pleased to say that none of VeriSign's SSL Certificates on any brand allow null characters, meaning that you can't use any of our certificates in the attack detailed...,” said Tim Callan, vice president of product marketing at VeriSign, in an official statement.
Callan also pointed out that the fundamental problem needs to be solved by the client software that trusts certificates allowing null characters. In addition, he mentioned that EV certificates are also immune, a fact confirmed by Marlinspike during his Q&A session.
“Marlinspike discussed the possibility of using this attack against the auto-update functionality that's prevalent in desktop software today. If these updates depend exclusively on SSL to confirm their veracity, a null character certificate can work there,” said Callan.
“Marlinspike suggests code signing as the solution to this problem (and I agree that code signing is a good solution). It happens that employing EV SSL on this update functionality would solve the problem as well.”
As mentioned, Mozilla has pushed the patches to Firefox users. Both the 3.5 and 3.x branches have patches available for download that address the mentioned flaws. Users are urged to download Firefox 3.5.2 or 3.0.13 to ensure protection.
"As part of Mozilla’s ongoing stability and security update process, Firefox 3.5.2 and Firefox 3.0.13 are now available for Windows, Mac, and Linux as free downloads. We strongly recommend that all Firefox users upgrade to this latest release," Mozilla said in a statement.
"If you already have Firefox 3.5 or Firefox 3, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting "Check for Updates…" from the Help menu."
Original Article:
Last week, during BlackHat in Las Vegas, two talks focused on problems with SSL. The separate talks, one given by Moxie Marlinspike and one by Dan Kaminsky, covered various issues, but each earned a good deal of hype in the press. After the talks, VeriSign quickly pointed out that it had preemptively protected clients from the various attack methods discussed.
Moxie Marlinspike, detailing the latest additions to his sslstrip tool, talked about the use of null characters and various other ways to fool Web browsers and other pieces of relying software into believing a certificate has been issued to a different domain than the one to which is was actually issued.
“I'm pleased to say that none of VeriSign's SSL Certificates on any brand allow null characters, meaning that you can't use any of our certificates in the attack detailed...,” said Tim Callan, vice president of product marketing at VeriSign, in an official statement.
Callan also pointed out that the fundamental problem needs to be solved by the client software that trusts certificates allowing null characters. In addition, he mentioned that EV certificates are also immune, a fact confirmed by Marlinspike during his Q&A session.
“Marlinspike discussed the possibility of using this attack against the auto-update functionality that's prevalent in desktop software today. If these updates depend exclusively on SSL to confirm their veracity, a null character certificate can work there,” said Callan.
“Marlinspike suggests code signing as the solution to this problem (and I agree that code signing is a good solution). It happens that employing EV SSL on this update functionality would solve the problem as well.”
source:
No comments:
Post a Comment