SSL: to certify web security is not to guarantee it

Hard on the heels of the translated blog by Sebastián Bortnik that I posted at the weekend comes news from the Register ( of a bogus Paypal SSL certificate released yesterday exploiting a bug in Microsoft’s crypto API that has remained unpatched for more than two months, when Moxie Marlinspike (can I have a handle like that, please?) demonstrated his "universal wildcard certificate" at Blackhat. 

(Sebastian also referred to this attack in the blog we posted earlier, but here’s that link again: "Null Attacks Against Prefix SSL Certificates" at   

Dan Goodin of the Register suggests that this is your cue to switch to Firefox, which doesn’t use the vulnerable API used by Internet Explorer, Google Chrome and Apple Safari – who says there’s no cooperation between the big players? ;-)

Well, that’s a convincing argument in the short term, but the real lesson here is that any application you use is only as good as the vendor’s ability to keep it patched and updated in good time when a vulnerability is uncovered.

Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled):
ESET Threatblog notifications on Twitter:
ESET White Papers Page:

Securing Our eCity community initiative:

Author David Harley, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.