Bugtraq mailing list archives

Re: IE https certificate attack

From: Donald King <donald_king () mail com>
Date: Wed, 26 Dec 2001 12:32:15 -0600

On Sat 22 Dec 2001 08:37, security () e-matters de wrote:
  [Snip]

   A flaw in Microsoft Internet Explorer allows an attacker to perform
   a SSL Man-In-The-Middle attack without the majority of users
recognising it. In fact the only way to detect the attack is to manually
compare the server name with the name stored in the certificate.

  [Snip]

I have confirmed the following on my own system:
 * Konqueror 2.1 is VULNERABLE;
 * Mozilla 0.9.6 is not vulnerable;
 * Netscape 4.75 is not vulnerable.

-- 
Donald King, a.k.a. Chronos Tachyon
http://chronos.dyndns.org/ -- WWED?
Guardian of Eristic Paraphernalia
Gatekeeper of the Region of Thud
 12:17pm  up 59 days, 16:03,  1 user,  load average: 0.13, 0.13, 0.09

Current thread:

IE https certificate attack security (Dec 23)
- Re: IE https certificate attack Dimitris Giannitsaros (Dec 24)
  - Re: IE https certificate attack e-matters GmbH - Securityteam (Dec 24)
    - Re: IE https certificate attack Geoff Joy (Dec 26)
- Re: IE https certificate attack Przemyslaw Frasunek (Dec 25)
  - Re: IE https certificate attack Diego M. Vadell (Dec 25)
  - Re: IE https certificate attack Stephen Cope (Dec 25)
- Re: IE https certificate attack Kevin van Haaren (Dec 25)
- Re: IE https certificate attack Donald King (Dec 26)
- RE: IE https certificate attack The Death (Dec 26)
- <Possible follow-ups>
- FW: IE https certificate attack August September (Dec 26)