When I read through the null prefix attack paper I took it to mean that browser and certificate vendors were not doing an adequate job of verifying domain names.
There's nothing inherently wrong with using counted strings (actually that is a step in the right direction IMHO). The problem is that browsers are assuming that a Pascal string is equivalent to a null-terminated string. --Will > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Serge Fonville > Sent: Tuesday, August 11, 2009 10:51 AM > To: [email protected] > Subject: Re: Is Openssl vulnerable to Null-Prefix Attacks? > > Hi, > > I read the PDF and my first question would be. > How is this relevant to openssl, since it is normally only > used for creating and signing certificates It is more up to a > brower to do the proper checking; That's why the PDF states > While many SSL/TLS implemntations fall victim to this, > Mozila's NSS is the worst. > > If anyone disagrees, please explain why! > > HTH > > Regards, > > Serge Fonville > > On Tue, Aug 11, 2009 at 9:35 AM, Roger > No-Spam<[email protected]> wrote: > > Recently there has been some discussion on th Internet regarding so > > called null-prefix attacks, see > > http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. > Is openssl > > vulnerable to this attack? > > > > /Roger > > > > ________________________________ > > kolla in resten av Windows LiveT. Inte bara e-post - > Windows LiveT är > > mycket mer än din inkorg. Mer än bara meddelanden > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
