The posting of a trick SSL certificate for https://www.paypal.com/us/home and its pertaining private key on the Full Disclosure security mailing list should finally force Microsoft, Google and Apple into releasing updates to fix the NULL prefix vulnerability. Phishers, for example, could use the certificate to disguise their servers as legitimate banking servers
Inserting a null character in a certificate's common name will prompt vulnerable browsers to only read up to this character, although the certificate may have actually been issued for a different domain. The current case tricks a browser into thinking that it has detected a valid certificate for https://www.paypal.com/us/home. The hole has been known to exist in various browsers for several weeks. So far, of all the popular browsers, only Firefox and Opera have not fallen for the trick.

The link for this article located at H Security is no longer available.