Merry Certmas! CN=*\

Jacob Appelbaum jacob at
Wed Sep 30 01:51:33 EDT 2009

Hello *,

In the spirit of giving and sharing, I felt it would be nice to enable
other Noisebridgers (and friends of Noisebridge) to play around with
bugs in SSL/TLS.

Moxie was just over and we'd discussed releasing this certificate for
some time. He's already released a few certificates and I thought I'd
join him. In celebration of his visit to San Francisco, I wanted to
release fun-times-at-moxie-marlinspike-high. This is a text file that
contains a fully valid, signed certificate (with private key) that can
be used to exploit the NULL certificate prefix bug[0]. The certificate
is valid for * on the internet (when exploiting libnss software). The
certificate is good for two years. It won't work for exploiting the bug
for software written with the WIN32 api, they don't accept (for good
reason) *! I suggest the use of Moxie's sslsniff[1] if you're so
inclined to try network related testing. It may also be useful for
testing code signing software.

It's been long enough that everyone should be patched for this awesome
class of bugs. This certificate and corresponding private key should
help people test fairly obscure software or software they've written
themselves. I hope this release will help with confirmation of the bug
and with regression testing. Feel free to use this certificate for
anything relating to free software too. Consider it released into the
public domain of interesting integers.



-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: fun-times-at-moxie-marlinspike-high
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 155 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the cryptography mailing list