Re: [ISN] Security flaw found in Microsoft Web browser

From: InfoSec News (isnat_private)
Date: Wed Aug 14 2002 - 02:34:58 PDT

  • Next message: InfoSec News: "[ISN] Princeton dean to lose job over hacking incident"

    ---------- Forwarded message ----------
    Date: Tue, 13 Aug 2002 10:47:12 -0400
    From: Ian Grigg <iangat_private>
    To: dbsat_private
    Subject: Re: [ISN] Security flaw found in Microsoft Web browser
    
    On Tuesday 13 August 2002 08:00, you wrote:
    
    > ``If you ever typed in credit card information to an SSL site
    > there's a chance that somebody intercepted it,'' he added.
    
    Right.  A theoretical, infinitisimal chance.  Next to zero. This issue
    has been around since the year dot, and there remains, ludicrously, no
    documented or admitted cases where credit card numbers have been
    intercepted on the net and used for fraudulent purposes.
    
    By now, one would think that it would have happened by accident, just
    through the sheer number of openly emailed credit card numbers.  But,
    instead, real crackers do what real crackers do:  they hack into
    machines and steal databases full of credit cards.
    
    > ``I would consider this to be incredibly severe,'' he added.
    >
    > Cryptography expert Bruce Schneier agreed.
    >
    > ``This is one of the worst cryptographic vulnerabilities I've seen
    > in a long time,'' said Schneier, co-founder and chief technology
    > officer at Counterpane Internet Security, a Cupertino,
    > California-based network monitoring firm.
    >
    > ``What this means is that all the cryptographic protections of SSL
    > don't work if you're a Microsoft IE user,'' Schneier added.
    
    The eminent Mr Schneier must have been misquoted. What this permits is
    an MITM attack, the most obscure and unlikely of the scenarios.  
    Passive listening is presumably unaffected, by orders of magnitude a
    greater danger.  I.e., say Yes to Mallory, say No to Eve.
    
    > MICROSOFT DOWNPLAYS REPORT
    
    Not that anyone will believe them, but in this case, it is indeed
    appropriate to assure that MITM attacks are hard. This doesn't mean
    that they shouldn't fix the bug, but this flaw is more embarressing
    than devastating;  the fact that it took so long to find also points
    out the relative lack of popularity that Mallory has in the real
    world.
    
    > An attacker wouldn't even need to create a fake Web site, but could
    > merely intercept the data from a legitimate Web site without the
    > victim knowing, Benham said.
    
    Right, so there are two approaches:  set up a fake web site as certs
    are now fakable.  Or 'merely' intercept the traffic and conduct the
    MITM.  The former is plausible, but in fact it goes on a lot already,
    as seen from the gold experiences.  I wonder how successful those
    efforts have been?  (It's no surprise that in later posts today, Rick
    van Rein talks about these efforts, as he's observing real security at
    work, not dwelling in the security industry.)
    
    > ``The reason SSL exists is to defend against these types of
    > attacks,'' he said. ``If these types of attacks were so hard, nobody
    > would have to use SSL.''
    
    Oddly enough, totally true.  SSL use is not that high, simply because
    certs are so hard to set up, browsers discriminate against so called
    snake-oils, and, meanwhile, MITM attacks remain too rare to measure.  
    So there is no great "need" in he greater society of the net (other
    than the commercial needs of various security companies)
    
    -- 
    iang
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Aug 14 2002 - 05:35:13 PDT