Bugtraq mailing list archives
Bypassing Warnings For Invalid SSL Certificates, Part Two
From: FKnobbe () HOME COM (Frank Knobbe)
Date: Wed, 28 Jun 2000 13:43:52 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, remember the discovery by Mitja Kolsek regarding bypassing the security warnings when you view SSL protected sites with an invalid certificate? Back then I asked him what warnings he meant since I've never seen one. :) Apparently the reason I've never seen that warning was because I had configured my Internet Explorer (5.1) to 'Check for Server Certificate Revocation' and 'Check for Publisher Certificate Revocation' (under the Advanced Tab in the Internet Options). Testing has shown that with these checkboxes de-selected, I.E. will warn about sites where the domain name doesn't match the one listed in the certificate (to warn you about site spoofing). However, with these checkboxes selected, no warning is presented at all. To verify: De-select above mentioned settings. Get the IP address of your favorite SSL protected site and enter it into your local HOST file with a mock domain name (for example test.com). Then open I.E. and go to https://test.com and the page will be displayed without any warning notifications. It displays the lock in the Status Bar as usual. When you do a right click on the page and check the status, it will list that it can not validate the certificate, as it should. It's just that no warning will be presented to alert the user that the site is not valid. I'm not sure if this problem only occurs on SSL certificates that do not list a revocation URL, or if it applies to all certs. I tested it on patched and unpatched versions of I.E. 5.0 and 5.1. I did not notify Microsoft before this posting because I don't qualify this as a threatening exploit. Workaround: - ----------- For users: Well, obviously de-select the mentioned settings. Suggestions: - ------------ For web site operators: Implement anti-spoofing redirections (which more and more are using, that's good). For certificate issuer: Make use of standards and implement them fully. List a revocation URL in the certificate if you have one. Regards, Frank Knobbe -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.1 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBOVpHaERKym0LjhFcEQI4AwCfaLPFBIbw9H8WY6bsXyrnSmt9dFAAn2sr Omu+70XgQ+AJVkj4g8Wrvdzz =T8Fy -----END PGP SIGNATURE-----
Current thread:
- Re: Force Feeding, (continued)
- Re: Force Feeding Philip Stoev (Jun 28)
- Re: Force Feeding David LeBlanc (Jun 28)
- Re: Force Feeding Philip Stoev (Jun 28)
- Re: Force Feeding Weld Pond (Jun 25)
- Re: Force Feeding M. Burnett (Jun 26)
- Re: Force Feeding Phonix (Jun 27)
- [suse-security-announce] SuSE Security Announcement: wuftpd-2.6 (fwd) Daniel T. Chen (Jun 27)
- DoS in FirstClass Internet Services 5.770 Adam Prime (Jun 27)
- [slackware-security] wu-ftpd remote exploit patched Christopher Kager (Jun 28)
- [SECURITY] New verion of dhcp released debian-security-announce () LISTS DEBIAN ORG (Jun 28)
- Security Bulletins Digest patrick () PINE NL (Jun 28)
- Bypassing Warnings For Invalid SSL Certificates, Part Two Frank Knobbe (Jun 28)
- NT DNS Server leaks administrator account name in SOA record Roy Hills (Jun 26)
- Re: NT DNS Server leaks administrator account name in SOA record Mikael Olsson (Jun 26)
- Re: NT DNS Server leaks administrator account name in SOA record Chris Knipe (Jun 27)