Multiple Web Browsers SSL Certificate SubjectAltName Validation Weakness

Multiple web browsers fail to validate SSL certificates properly. This issue occurs because the applications fail to properly handle 'subjectAltName' extensions to X.509 certificates.

Successfully exploiting this issue may aid attackers in phishing-style attacks by bypassing security warnings when invalid certificates are used in SSL HTTP connections.

The following browsers are reported vulnerable:

Mozilla Firefox (and browsers based on the Gecko rendering engine)
Konqueror (and browsers based on the KHTML rendering engine, such as Apple's Safari).

Other browsers may also be affected.

This BID may be split into individual records as vendors disclose more information about individual browsers.


Privacy Statement
Copyright 2010, SecurityFocus