* Posts by Gordon.Young

3 publicly visible posts • joined 8 Oct 2009

IE, Chrome, Safari duped by bogus PayPal SSL cert

Gordon.Young
Pint

Confirmed on production version on M$ windows.

regarding>> I am in search of more information.

This issue is confirmed.

I am not able to generate a request with a null character prefix CN using Microsoft's CAPI (via CertEnroll API),

Unfortunately I am able to reproduce this quite easily by creating a certificate with other widely used crypto API's.

When I view the cert which I generated in a recent supported version of windows I can confirm the issue is still present.

"Crypto Shell Extentions" which uses MS CAPI API's allows me to see the certificate's subject as only the portion before the null.

In my opinion CAPI's handing of directory strings using CString V.S. AS1 DERPrintableString is broken.

While CAPI is smart enought to not let us generate a signing request with broken RDN components, certificate subject validation + display is indeed broken.

This is not good.

~Gordo

Gordon.Young
Pint

Seeking more info regarding Microsoft CAPI

I am in search of more information. I have read the Moxie Marlinspike article. I did see some of the other exploits demonstrated by SSL-Sniff first hand, but am yet to see where this exploit exists in the timeline of Windows + CAPI enabled applications, browsers, email, custom, etc.

Has this vulerability been documented in Microsoft's crypto API? Has there been a test matrix of the various versions of windows, current offerings, and those still in the wild, paired with the posibilities of browser+OS pairings which demonstrate the the "C-String" flaw in Capi?

Please someone educate me on documented cases of this exploit in windows CAPI + CAPI reliant applications.

Thank you in advance.

Gordon~

SSL spoof bug still haunts IE, Safari, Chrome

Gordon.Young

Seeking more info on MS CAPI bug

I am in search of more information. I have read the Moxie Marlinspike article. I did see some of the other exploits demonstrated by SSL-Sniff first hand, but am yet to see where this exploit exists in the timeline of Windows + CAPI enabled applications, browsers, email, custom, etc.

Has this vulerability been documented in Microsoft's crypto API? Has there been a test matrix of the various versions of windows, current offerings, and those still in the wild, paired with the posibilities of browser+OS pairings which demonstrate the the "C-String" flaw in Capi?

Please someone educate me on documented cases of this exploit in windows CAPI + CAPI reliant applications (browsers, etc..). I didn't see it in the Moxie Article. I appologize If I simply missed it.

Thank you in advance.

Gordon~