According to “Security Now” (www.grc.com), last month a hacker who goes by the moniker of Moxie Marlinspike, gave a presentation titled “New Tricks for Defeating SSL in Practice” at the Black Hat conference in DC. While SSL encryption is a very secure protocol, it has now been shown possible to spoof a secure site forcing a redirected connection with SSL encryption entact. Once redirected the hacker can steal any secure information you enter into the fake web form. You may never know you were dupped.
Most Browsers are using a shared library called CryptoAPI which Internet Explorer, Safari on Windows, and Chrome all use. They all just assume the underlying framework in Windows reliable. They’re all using it and as a consequence, as of today they’re all vulnerable.
Essentially at the moment a Windows user cannot trust any Windows browser other than Firefox. The Firefox guys fixed this within their browser. They took responsibility away from the underlying Windows platform and fixed it themselves within days.
Apple did fix it in OS X immediately, but hasn’t done so on Safari under Windows as its not their fault. This is a Windows problem. The problem is that it makes all browsers except Firefox completely untrustworthy for making secure SSL connections until Microsoft finally fixes it. I recommend using Firefox only, until they do.
