Bugtraq mailing list archives

RE: IE https certificate attack

From: The Death <thedeadh () netvision net il>
Date: Wed, 26 Dec 2001 19:37:03 +0200

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Several thoughts:
1) This issue is not new, it was presented several times in few
places (e.g: Schneier's book, "Secrets and Lies"), and the main
advice here is not to trust that little lock icon, but to manually
verify that the certificate's correlation to the supposebly secure
site.
2) Tested under IE 6.0.2600 under Win 98 (Hebrew enabled if it
matters), there was no warning.
3) I believe MS's claim that cryptography is the cause of delay is
false.The cryptography there works good. There is nothing wrong with
verifing the certificate, the problem is with verifying that the
certificate matches the site. It is like having a problem with your
car's A/C, and having the repairman saying "This problem is hard to
fix, because you have a very complex 4x4 driving system in this car".
It is just not related, as far as i can see.

And that's about it.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPCoKue6B0r4ZZEp/EQIh+wCeOLtZXc1/chlGVFIpPOkjq74enncAnjGA
OC6SsDAlHQN64wT3pK/66UDU
=1ka7
-----END PGP SIGNATURE-----

Current thread:

IE https certificate attack security (Dec 23)
- Re: IE https certificate attack Dimitris Giannitsaros (Dec 24)
  - Re: IE https certificate attack e-matters GmbH - Securityteam (Dec 24)
    - Re: IE https certificate attack Geoff Joy (Dec 26)
- Re: IE https certificate attack Przemyslaw Frasunek (Dec 25)
  - Re: IE https certificate attack Diego M. Vadell (Dec 25)
  - Re: IE https certificate attack Stephen Cope (Dec 25)
- Re: IE https certificate attack Kevin van Haaren (Dec 25)
- Re: IE https certificate attack Donald King (Dec 26)
- RE: IE https certificate attack The Death (Dec 26)
- <Possible follow-ups>
- FW: IE https certificate attack August September (Dec 26)