Re: IE SSL Vulnerability

From: Torbjörn Hovmark (torbjorn.hovmarkat_private)
Date: Wed Aug 07 2002 - 02:58:04 PDT

Next message: Balazs Scheidler: "Re: IE SSL Vulnerability"

Previous message: Javier Sanchez (Information Systems): "RE: Windows 2000 Service Pack 3 now available."
In reply to: Mike Benham: "IE SSL Vulnerability"
Next in thread: Thomas C. Greene: "Re: IE SSL Vulnerability (Konqueror affected too)"
Reply: Thomas C. Greene: "Re: IE SSL Vulnerability (Konqueror affected too)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I agree, this is really, really serious. If this is correct, I believe it is
one of the most serious vulnerabilities reported in a long time. People
trust SSL to protect their money, and this is a vulnerability where you
could easily attack thousands of users or go after the banks with a simple
man-in-the-middle attack. I have feared a certificate chain vulnerability
for some time now. This one certainly has the potential to hurt a lot of the
little guys if someone would decide to steal their money.

I wonder what the legal implications would be. I suppose, as the bug is in
the client software, the banks might be safe from a legal standpoint, even
though they have designed the poor security infrastructure they are using.
If client certificates were used for authentication, this bug would be far
less severe.

It is a bit sad that this was reported without letting Microsoft know about
it first, although I am not sure what they could have done had they known.
To get millions and millions of end users to path their browsers is quite a
task, even for Microsoft.

Does this bug apply only to IE 5, 5.5 and 6 and not to earlier browsers? Is
it a bug in the browser or is it a bug in CryptoAPI? Is client certificate
authentication in IIS vulnerable to the same attack?


Best regards,

Torbjörn Hovmark

______________________________________
Abtrusion Security AB
http://www.abtrusion.com



----- Original Message -----
From: "Mike Benham" <moxieat_private>
To: <bugtraqat_private>
Sent: Tuesday, August 06, 2002 1:03 AM
Subject: IE SSL Vulnerability


>
> ========================================================================
> Internet Explorer SSL Vulnerability 08/05/02
> Mike Benham <moxieat_private>
> http://www.thoughtcrime.org
>
> ========================================================================
> Abstract
>
> Internet Explorer's implementation of SSL contains a vulnerability that
> allows for an active, undetected, man in the middle attack.  No dialogs
> are shown, no warnings are given.
>
> [...]

Next message: Balazs Scheidler: "Re: IE SSL Vulnerability"
Previous message: Javier Sanchez (Information Systems): "RE: Windows 2000 Service Pack 3 now available."
In reply to: Mike Benham: "IE SSL Vulnerability"
Next in thread: Thomas C. Greene: "Re: IE SSL Vulnerability (Konqueror affected too)"
Reply: Thomas C. Greene: "Re: IE SSL Vulnerability (Konqueror affected too)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Aug 10 2002 - 19:17:55 PDT