On the topic of ignored security issues, SSL security in general seems to to be ignored as well, including microsoft's lack of fixing issues with Cert checking in Internet Explorer , which leads to an easy man in the middle/replay attack to a certificate viewed by IE. Maybe someday, people will listen, not today obviously - of course I notice it always becomes an issue when it finally affects the person. In detail, we can recap e-matters SSL issue where a flaw in Microsoft Internet Explorer allows an attacker to perform a SSL Man-In-The-Middle attack without the majority of users recognising it. In fact the only way to detect the attack is to manually compare the server name with the name stored in the certificate. for all curious http://suspekt.org click on go to secure page and if you don't get a popup, be disappointed. Now this report was issued in 2001, and IE 6 has not decided to fix this either. This along with an arp poison attack of a client and gateway on a network, will easily lead to compromise of SSL without any suspicions arising for users of IE. I'm disappointed, as we pass SSL off has the "industry standard" web authentication protocol, and it's implemented incorrectly, by 1) End users don't understand SSL implementation and the definition of digital trust, 2) no one reads those pop-ups anyway and 3) Microsoft royally fucks it up without a pop-up to begin with. So financially for 125$ I can go and successfully sniff my network without question and grab SSL user names and passwords, plus whatever else I want. Are you concerned? I am. 0x90 www.invisiblenet.net
This archive was generated by hypermail 2b30 : Mon Apr 08 2002 - 08:00:02 PDT