Bad News From Las Vegas
Jul 30th, 2009 by Alex
The SSL certificate vulnerabilities discussed at Black Hat yesterday are both scary and irritating. Scary, because the ramifications are huge. Banking. Health care. Email. Software repositories. Irritating for two reasons, namely who on earth decided to allow null strings in certificate in the first place and why the hell wouldn’t an SSL implementation not read the entire string?
The good news is that Verisign’s products supposedly are not vulnerable. No word on Thawte yet. Those are the biggies. But the big boys are never the problem in cases like these, it’s always the smaller (and more shady) CA shops that will issue whatever certificate you want so long as you pay their fee.
Even if you don’t know what I’m talking about, odds are good that you’re affected. Lucky, huh?
Expect a lot of patches in the next few days, starting with your web browsers. Unless you’re absolutely sure of the certificates backing your frequently visited secure web sites, I’d hold off on logging in or purchasing much until the next round of browser patches make their way around.
Overkill? Perhaps. But better safe than sorry.
