Bugtraq mailing list archives

Re: IE https certificate attack

From: Kevin van Haaren <kevin () vanhaaren net>
Date: Tue, 25 Dec 2001 12:10:54 -0600

At 3:37 PM +0100 12/22/01, security () e-matters de wrote:

Proof of Concept:

   A proof of concept webpage was put up at http://suspekt.org. Clicking
   onto the "To the secure page..." link will send your browser to
   https://suspekt.org without IE warning you that the certificate was not
   issued onto that server.

   This is not a MIM but it has the same effect: IE will tell you a page is
   secure although the certificate is illegal and its possible for a third
   party (anyone who owns the given certificate) to decrypt your traffic in
   realtime.

I've tested the proof of concept page with both Internet Explorer5.1.3 under Macintosh OS X 10.1.2 and Internet Explorer 5.0 under MacOS 9.2.2. Both browsers report problems with the securitycertificate and prompt the user if they wish to continue.


Guess the issue is only complex under Windows operating systems 8-)

Kevin

Current thread:

IE https certificate attack security (Dec 23)
- Re: IE https certificate attack Dimitris Giannitsaros (Dec 24)
  - Re: IE https certificate attack e-matters GmbH - Securityteam (Dec 24)
    - Re: IE https certificate attack Geoff Joy (Dec 26)
- Re: IE https certificate attack Przemyslaw Frasunek (Dec 25)
  - Re: IE https certificate attack Diego M. Vadell (Dec 25)
  - Re: IE https certificate attack Stephen Cope (Dec 25)
- Re: IE https certificate attack Kevin van Haaren (Dec 25)
- Re: IE https certificate attack Donald King (Dec 26)
- RE: IE https certificate attack The Death (Dec 26)
- <Possible follow-ups>
- FW: IE https certificate attack August September (Dec 26)