OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: PT-Sheik Abdulla (Sheikpt.com.sg)
Date: Thu Jan 03 2002 - 18:56:59 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    I have checked this in a computer which has IE5.0SP2. When I entered into
    the PoC site, a security Alert pop-up window appears, states that the
    Certificate is from trusted CA, Certificate date is valid and the name on
    the cert is not matching with the site's name warning label.

    In a secure environment like banking users should be warned about this
    warnings while using the internet.

    Web browsers can check the contents of the Cert with the available
    authrorised CA's for whether they are really issued by them. Checking the
    CRL is not the browser's task; if it enabled in future, just think how the
    CRL servers are going to handle the requests for billions of requests
    everyday, and how much time will you wait for the CRL before you proceed
    further to visit the site. By keep waiting the customer at the browser, you
    may loose your customer by his impatience ( A recent study shows that a
    customer cannot wait for more than 8 seconds to see a page in the site)

    my 0.02

    Rgds,
    Sheik
    ----- Original Message -----
    From: "Andrew Chong" <andrewjwsingnet.com.sg>
    To: <focus-mslists.securityfocus.com>; <focus-mssecurityfocus.com>
    Sent: Thursday, January 03, 2002 10:00 PM
    Subject: IE 5.0, 5.5 6.0 https SSL certificate attack - Serious

    > Currently, there is serious IE HTTPS SSL certificate vulnerability.
    Remeber
    > to look at the SSL certificate every time you enter a HTTPS site.
    Microsoft
    > was informed but they seem not able to come out with a patch due to
    > complications.
    >
    > More details:
    > http://security.e-matters.de/advisories/012001.html
    >
    > Proof of concept
    > http://suspekt.org/
    >
    > Andrew Chong, CISSP
    > Senior System Architect
    >
    >
    >

    IMPORTANT NOTICE:
    The Information contained and transmitted by this E-MAIL is proprietary to
    PACIFIC TECHNOLOGY PTE LTD and is intended for use only by the individual or
    entity to which it is addressed, and may contain information that is
    privileged, confidential or exempt from disclosure under applicable law. If
    you are not the intended recipient, or an agent of the intended recipient or
    it appears that this mail has been forwarded to you without proper authority
    you are notified that any use, distribution, printing, copying or
    dissemination of this information in any way or in any manner is strictly
    prohibited. Any views or opinions presented shall be solely those of the
    author and do not necessarily represent those of the Pacific Technology Pte
    Ltd, unless written by an authorized representative. If you have received
    this communication in error, please delete this mail & notify us immediately
    at adminpt.com.sg.