Re: IE https certificate attack

From: Przemyslaw Frasunek (venglinat_private)
Date: Tue Dec 25 2001 - 07:14:39 PST

Next message: Daniel Swarbrick: "Possible hole in Win XP MS Client networking"

Previous message: bugzillaat_private: "[RHSA-2001:162-04] Updated namazu packages are available"
In reply to: security@e-matters.de: "IE https certificate attack"
Next in thread: Diego M. Vadell: "Re: IE https certificate attack"
Reply: Diego M. Vadell: "Re: IE https certificate attack"
Reply: Stephen Cope: "Re: IE https certificate attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Saturday 22 December 2001 15:37, security@e-matters.de wrote:
>    A proof of concept webpage was put up at http://suspekt.org. Clicking
>    onto the "To the secure page..." link will send your browser to
>    https://suspekt.org without IE warning you that the certificate was not
>    issued onto that server.

Looks like Konqueror 2.2.1 (Mandrake Linux 8.1 + OpenSSL 0.9.6b) is also 
vulnerable. I've got no warning when entering on this page. I've tested it 
also with lynx 2.8.4rel.1 (compiled with OpenSSL 0.9.6a on FreeBSD) with the 
same result. 

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslawat_private ** PGP: D48684904685DF43EA93AFA13BE170BF *

Next message: Daniel Swarbrick: "Possible hole in Win XP MS Client networking"
Previous message: bugzillaat_private: "[RHSA-2001:162-04] Updated namazu packages are available"
In reply to: security@e-matters.de: "IE https certificate attack"
Next in thread: Diego M. Vadell: "Re: IE https certificate attack"
Reply: Diego M. Vadell: "Re: IE https certificate attack"
Reply: Stephen Cope: "Re: IE https certificate attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 25 2001 - 09:22:34 PST