Bugtraq mailing list archives
Re: IE https certificate attack
From: Kevin van Haaren <kevin () vanhaaren net>
Date: Tue, 25 Dec 2001 12:10:54 -0600
At 3:37 PM +0100 12/22/01, security () e-matters de wrote:
Proof of Concept: A proof of concept webpage was put up at http://suspekt.org. Clicking onto the "To the secure page..." link will send your browser to https://suspekt.org without IE warning you that the certificate was not issued onto that server. This is not a MIM but it has the same effect: IE will tell you a page is secure although the certificate is illegal and its possible for a third party (anyone who owns the given certificate) to decrypt your traffic in realtime.
I've tested the proof of concept page with both Internet Explorer 5.1.3 under Macintosh OS X 10.1.2 and Internet Explorer 5.0 under Mac OS 9.2.2. Both browsers report problems with the security certificate and prompt the user if they wish to continue.
Guess the issue is only complex under Windows operating systems 8-) Kevin
Current thread:
- IE https certificate attack security (Dec 23)
- Re: IE https certificate attack Dimitris Giannitsaros (Dec 24)
- Re: IE https certificate attack e-matters GmbH - Securityteam (Dec 24)
- Re: IE https certificate attack Geoff Joy (Dec 26)
- Re: IE https certificate attack e-matters GmbH - Securityteam (Dec 24)
- Re: IE https certificate attack Przemyslaw Frasunek (Dec 25)
- Re: IE https certificate attack Diego M. Vadell (Dec 25)
- Re: IE https certificate attack Stephen Cope (Dec 25)
- Re: IE https certificate attack Kevin van Haaren (Dec 25)
- Re: IE https certificate attack Donald King (Dec 26)
- RE: IE https certificate attack The Death (Dec 26)
- <Possible follow-ups>
- FW: IE https certificate attack August September (Dec 26)
- Re: IE https certificate attack Dimitris Giannitsaros (Dec 24)