SSL certificates and "the most dangerous code in the world"

From Heise Online;
'Many programs that use encryption are not secure, according to researchers at the University of Texas at Austin and Stanford University.
The researchers found that a number of e-commerce web applications, well-known instant messaging clients such as Trillian and AIM, and a long list of cloud services use ineffective encryption. They say that the libraries used for encryption are the main culprit.
...
The research team conducted targeted man-in-the-middle attacks, presenting applications with three kinds of bogus certificates: a self-signed certificate with the correct name, a self-signed certificate with a random name and a certificate that was from a legitimate authority but issued to the domain AllYourSSLAreBelongto.us – hardly the correct domain. All three certificates managed to find trusting victims that accepted them.
The researchers found these bugs in almost all kinds of applications, from messaging clients to critical business applications that transmit sensitive customer data via services like PayPal and Amazon Flexible Payments Service (FPS). Chase Bank's Android banking app proved to be vulnerable, as did Rackspace's iOS app for managing resources in the cloud. ...' link

"The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser SoftwarePDF" PDF link