If you use the Internet Explorer, Google Chrome or Apple Safari browsers to conduct PayPal transactions, now would be a good time to switch over to the decidedly more secure Firefox alternative.
That's because a hacker on Monday published a counterfeit secure sockets layer certificate that exploits a gaping hole in a Microsoft library used by all three of those browsers. Although the certificate is fraudulent, it appears to all three to be a completely legitimate credential vouching for the online payment service. The bug was disclosed more than nine weeks ago, but Microsoft has yet to fix it.
Monday's release of the so-called null-prefix certificate for PayPal is a serious blow to online security because it makes it trivial for cybercrooks to defeat one of the web's oldest and most relied upon defenses against man-in-the-middle attacks. PayPal and thousands of other financial websites use the certificates to generate a digital signature that mathematically proves login pages aren't forgeries that were set up by con artists who are sitting in between the user and the website he's trying to view.
http://www.theregister.co.uk/2009/10/05 ... published/
