Moxie Marlinspike in Black Hat has just demonstrated a very serious i18n
attack using a *.ijjk.cn certificate.
http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
.cn is authorized for i18n, and the * will match anything, allowing all
the classic i18n based attacks.
He enhanced the attack by finding some i18n chars that look like '/' or
'?', enabling to hide the ".ijjk.cn" very far to the right, in many
cases behind the end of the displayed part of the url bar.
So what the proper immediate/long term solution ? Disable punycode for
the wildcard part of certificates ?
PS : Some of his other remarks about the current state of SSL are
interesting but are not really that much news for everyone on this group
and do not require similar immediate action.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
