Bugtraq mailing list archives

Re: IE SSL Vulnerability

From: TorbjÃ¶rn Hovmark <torbjorn.hovmark () abtrusion com>
Date: Wed, 7 Aug 2002 11:58:04 +0200

I agree, this is really, really serious. If this is correct, I believe it is
one of the most serious vulnerabilities reported in a long time. People
trust SSL to protect their money, and this is a vulnerability where you
could easily attack thousands of users or go after the banks with a simple
man-in-the-middle attack. I have feared a certificate chain vulnerability
for some time now. This one certainly has the potential to hurt a lot of the
little guys if someone would decide to steal their money.

I wonder what the legal implications would be. I suppose, as the bug is in
the client software, the banks might be safe from a legal standpoint, even
though they have designed the poor security infrastructure they are using.
If client certificates were used for authentication, this bug would be far
less severe.

It is a bit sad that this was reported without letting Microsoft know about
it first, although I am not sure what they could have done had they known.
To get millions and millions of end users to path their browsers is quite a
task, even for Microsoft.

Does this bug apply only to IE 5, 5.5 and 6 and not to earlier browsers? Is
it a bug in the browser or is it a bug in CryptoAPI? Is client certificate
authentication in IIS vulnerable to the same attack?


Best regards,

TorbjÃ¶rn Hovmark

______________________________________
Abtrusion Security AB
http://www.abtrusion.com



----- Original Message -----
From: "Mike Benham" <moxie () thoughtcrime org>
To: <bugtraq () securityfocus com>
Sent: Tuesday, August 06, 2002 1:03 AM
Subject: IE SSL Vulnerability


========================================================================
Internet Explorer SSL Vulnerability 08/05/02
Mike Benham <moxie () thoughtcrime org>
http://www.thoughtcrime.org

========================================================================
Abstract

Internet Explorer's implementation of SSL contains a vulnerability that
allows for an active, undetected, man in the middle attack.  No dialogs
are shown, no warnings are given.

[...]

Current thread:

IE SSL Vulnerability Mike Benham (Aug 06)
- Re: IE SSL Vulnerability Alex Loots (Aug 07)
  - Re: IE SSL Vulnerability Mike Benham (Aug 09)
    - Re: IE SSL Vulnerability PaweÅ‚ Krawczyk (Aug 10)
- Re: IE SSL Vulnerability Balazs Scheidler (Aug 10)
  - Re: IE SSL Vulnerability Balazs Scheidler (Aug 10)
- Re: IE SSL Vulnerability TorbjÃ¶rn Hovmark (Aug 10)
  - Re: IE SSL Vulnerability (Konqueror affected too) Thomas C. Greene (Aug 12)
- <Possible follow-ups>
- RE: IE SSL Vulnerability Pidgorny, Slav (Aug 09)
- Re: IE SSL Vulnerability Torbjörn (Aug 10)
- Re: IE SSL Vulnerability robert walker (Aug 16)
  - Re: IE SSL Vulnerability Charles Miller (Aug 19)
    - Re: IE SSL Vulnerability J. Lasser (Aug 20)