DefCon Reveals Holes in SSL, Browser Interoperability
Security researchers (I guess that's the proper name for a white hat hacker) at DefCon demonstrated how an enterprising hacker could "tap" into a supposedly secure data stream to lift sensitive information. What was shown was a major problem in the way browsers interact with SSL certificates, though it's a "man in the middle" attack which requires the perp to already be in the target network.
Security researchers (I guess that's the proper name for a white hat hacker) at DefCon demonstrated how an enterprising hacker could "tap" into a supposedly secure data stream to lift sensitive information. What was shown was a major problem in the way browsers interact with SSL certificates, though it's a "man in the middle" attack which requires the perp to already be in the target network.
Jon Miller, an SSL expert and director of Accuvant Labs, said he expects significant attacks against corporations using this technique in the coming months. Criminals who run "phishing" scams, in which people are tricked into visiting phony sites, will also likely latch on. … VeriSign's Callan said within hours of the talks, his company got a number of applications for SSL certificates featuring null characters, but they were denied.
