Misleading warning causes failure of Netscape SSL server authentication

This vulnerability defeats SSL server authentication in Netscape 4.73 and earlier versions. This is a new vulnerability unrelated to CERT advisory 2000-5. However, it has a similar devastating effect: destroying SSL server authentication. Under certain conditions, users can no longer trust the authenticity of SSL server certificates in Netscape.

This new vulnerability makes Netscape's SSL implementation as insecure as DNS. If you are victimized by this attack, then you may unknowingly divulge private information such as credit card numbers, personal data, passwords to online financial services, or other sensitive information to an adversary masquerading as what you think is a trusted SSL server.

The full report is available in text format. The CERT has also released an advisory.

Do you think someone could trick a user with this attack? These news reports can shed light.


Maintained by Kevin Fu