OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Torbjörn Hovmark (torbjorn.hovmark_at_abtrusion.com)
Date: Wed Aug 07 2002 - 04:58:04 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I agree, this is really, really serious. If this is correct, I believe it is
    one of the most serious vulnerabilities reported in a long time. People
    trust SSL to protect their money, and this is a vulnerability where you
    could easily attack thousands of users or go after the banks with a simple
    man-in-the-middle attack. I have feared a certificate chain vulnerability
    for some time now. This one certainly has the potential to hurt a lot of the
    little guys if someone would decide to steal their money.

    I wonder what the legal implications would be. I suppose, as the bug is in
    the client software, the banks might be safe from a legal standpoint, even
    though they have designed the poor security infrastructure they are using.
    If client certificates were used for authentication, this bug would be far
    less severe.

    It is a bit sad that this was reported without letting Microsoft know about
    it first, although I am not sure what they could have done had they known.
    To get millions and millions of end users to path their browsers is quite a
    task, even for Microsoft.

    Does this bug apply only to IE 5, 5.5 and 6 and not to earlier browsers? Is
    it a bug in the browser or is it a bug in CryptoAPI? Is client certificate
    authentication in IIS vulnerable to the same attack?

    Best regards,

    Torbjörn Hovmark

    ______________________________________
    Abtrusion Security AB
    http://www.abtrusion.com

    ----- Original Message -----
    From: "Mike Benham" <moxiethoughtcrime.org>
    To: <bugtraqsecurityfocus.com>
    Sent: Tuesday, August 06, 2002 1:03 AM
    Subject: IE SSL Vulnerability

    >
    > ========================================================================
    > Internet Explorer SSL Vulnerability 08/05/02
    > Mike Benham <moxiethoughtcrime.org>
    > http://www.thoughtcrime.org
    >
    > ========================================================================
    > Abstract
    >
    > Internet Explorer's implementation of SSL contains a vulnerability that
    > allows for an active, undetected, man in the middle attack. No dialogs
    > are shown, no warnings are given.
    >
    > [...]