18 Aug '13, 9am

Oh for fuck’s sake. Ruby’s OpenSSL binding gets fooled by NUL byte in subjectAltName.

Hostname check bypassing vulnerability in SSL client (CVE-2013-4073) A vulnerability in Ruby’s SSL client that could allow man-in-the-middle attackers to spoof SSL servers via valid certificate issued by a trusted certification authority. This vulnerability has been assigned the CVE identifier CVE-2013-4073. Summary Ruby’s SSL client implements hostname identity check but it does not properly handle hostnames in the certificate that contain null bytes. Details OpenSSL::SSL.verify_certificate_identity implements RFC2818 Server Identity check for Ruby’s SSL client but it does not properly handle hostnames in the subjectAltName X509 extension that contain null bytes. Existing code in lib/openssl/ssl.rb uses OpenSSL::X509::Extension#value for extracting identity from subjectAltName. Extension#value depends on the OpenSSL function X509V3_EXT_print() and for dNSName of subjectAl...

Full article: http://www.ruby-lang.org/en/news/2013/06/27/hostname-chec...

Tweets

Check out how much...

ebay.com.sg 27 Aug '13, 11am

Brand New COTE EN CIEL MESSENGER BAG , RETAILS FOR around $ 300 ....... Fold-over messenger bag to fit 15 inch laptop with...

Google confirms Bitcoin-theft vulnerability in Android

Google confirms Bitcoin-theft vulnerability in ...

linuxtoday.com 16 Aug '13, 6am

Google confirms Bitcoin-theft vulnerability in Android Aug 15, 2013, 19:00 (0 Talkback[s] ) Tweet Google has verified that...

CyanogenMod 10.2 Nightlies Available, Android B...

xda-developers.com 16 Aug '13, 6pm

CyanogenMod 10.2 nightlies are now available for various devices. That and more are covered by Jordan, as he reviews all t...

Concern mounts as Google confirms Android cryptographic vulnerability

Concern mounts as Google confirms Android crypt...

theguardian.com 15 Aug '13, 5pm

Google has confirmed reports of a weakness in Android 's Java Cryptography Architecture (JCA) that has left bitcoin wallet...

$5.99 SSL Certificate Sale at #Godaddy - - coup...

godaddy.com 11 Aug '13, 4am

SSL stands for Secure Socket Layer. It might sound complex, but it's really not. SSL Certificates authenticate your websit...