Bugtraq mailing list archives

Bypassing Warnings For Invalid SSL Certificates, Part Two

From: FKnobbe () HOME COM (Frank Knobbe)
Date: Wed, 28 Jun 2000 13:43:52 -0500


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

remember the discovery by Mitja Kolsek regarding bypassing the
security warnings when you view SSL protected sites with an invalid
certificate? Back then I asked him what warnings he meant since I've
never seen one. :)

Apparently the reason I've never seen that warning was because I had
configured my Internet Explorer (5.1) to 'Check for Server
Certificate Revocation' and 'Check for Publisher Certificate
Revocation' (under the Advanced Tab in the Internet Options).

Testing has shown that with these checkboxes de-selected, I.E. will
warn about sites where the domain name doesn't match the one listed
in the certificate (to warn you about site spoofing). However, with
these checkboxes selected, no warning is presented at all.

To verify:

De-select above mentioned settings. Get the IP address of your
favorite SSL protected site and enter it into your local HOST file
with a mock domain name (for example test.com). Then open I.E. and go
to https://test.com and the page will be displayed without any
warning notifications. It displays the lock in the Status Bar as
usual.

When you do a right click on the page and check the status, it will
list that it can not validate the certificate, as it should. It's
just that no warning will be presented to alert the user that the
site is not valid.

I'm not sure if this problem only occurs on SSL certificates that do
not list a revocation URL, or if it applies to all certs. I tested it
on patched and unpatched versions of I.E. 5.0 and 5.1.

I did not notify Microsoft before this posting because I don't
qualify this as a threatening exploit.

Workaround:
- -----------

For users: Well, obviously de-select the mentioned settings.

Suggestions:
- ------------

For web site operators: Implement anti-spoofing redirections (which
more and more are using, that's good).

For certificate issuer: Make use of standards and implement them
fully. List a revocation URL in the certificate if you have one.

Regards,
Frank Knobbe

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBOVpHaERKym0LjhFcEQI4AwCfaLPFBIbw9H8WY6bsXyrnSmt9dFAAn2sr
Omu+70XgQ+AJVkj4g8Wrvdzz
=T8Fy
-----END PGP SIGNATURE-----

Current thread:

Re: Force Feeding, (continued)
- - Re: Force Feeding Philip Stoev (Jun 28)
    - Re: Force Feeding David LeBlanc (Jun 28)
- Re: Force Feeding Weld Pond (Jun 25)
  - Re: Force Feeding M. Burnett (Jun 26)
  - Re: Force Feeding Phonix (Jun 27)
  - [suse-security-announce] SuSE Security Announcement: wuftpd-2.6 (fwd) Daniel T. Chen (Jun 27)
  - DoS in FirstClass Internet Services 5.770 Adam Prime (Jun 27)
  - [slackware-security] wu-ftpd remote exploit patched Christopher Kager (Jun 28)
  - [SECURITY] New verion of dhcp released debian-security-announce () LISTS DEBIAN ORG (Jun 28)
  - Security Bulletins Digest patrick () PINE NL (Jun 28)
  - Bypassing Warnings For Invalid SSL Certificates, Part Two Frank Knobbe (Jun 28)
- NT DNS Server leaks administrator account name in SOA record Roy Hills (Jun 26)
  - Re: NT DNS Server leaks administrator account name in SOA record Mikael Olsson (Jun 26)
  - Re: NT DNS Server leaks administrator account name in SOA record Chris Knipe (Jun 27)