There’s a scary article on Slashdot about a SSL attack that was revealed that this year’s DEFCON hacker conference. Now there’s been a certificate issued for PayPal which aids in exploiting the hole. This is the null-prefix attack!
SSL Hacking tools here. And while we are at it..let’s defeat OCSP too, so revoked certificates aren’t checked by the client!
Bottom line, until MS fixes their Crypto API, if you are super paranoid then use Firefox or Safari on Mac (not on Windows).
Update: The October 2009 patches from Microsoft close this security hole. So be sure you run Windows update and apply all the latest patches.
