The Associated Press reports:
Hackers at the Black Hat and DefCon security conferences have revealed a serious flaw in the way Web browsers weed out untrustworthy sites and block anybody from seeing them. If a criminal infiltrates a network, he can set up a secret eavesdropping post and capture credit card numbers, passwords and other sensitive data flowing between computers on that network and sites their browsers have deemed safe.
In an even more nefarious plot, an attacker could hijack the auto-update feature on a victim’s computer, and trick it into automatically installing malware pulled in from a hacker’s Web site. The computer would think it’s an update coming from the software manufacturer. […]
[The hackers at both conferences] reached essentially the same conclusion: There are major problems in the way browsers interact with Secure Sockets Layer (SSL) certificates, which is a common technology used on banking, e-commerce and other sites handling sensitive data.
Browser makers and the companies that sell SSL certificates are working on a fix.