Re: Security flaw found in Microsoft Web browser

[InfoSec News <isn () c4i org>]

---------- Forwarded message ----------
Date: Tue, 13 Aug 2002 10:47:12 -0400
From: Ian Grigg <iang () systemics com>
To: dbs () philodox com
Subject: Re: [ISN] Security flaw found in Microsoft Web browser

On Tuesday 13 August 2002 08:00, you wrote:

> ``If you ever typed in credit card information to an SSL site
> there's a chance that somebody intercepted it,'' he added.

Right.  A theoretical, infinitisimal chance.  Next to zero. This issue
has been around since the year dot, and there remains, ludicrously, no
documented or admitted cases where credit card numbers have been
intercepted on the net and used for fraudulent purposes.

By now, one would think that it would have happened by accident, just
through the sheer number of openly emailed credit card numbers.  But,
instead, real crackers do what real crackers do:  they hack into
machines and steal databases full of credit cards.

> ``I would consider this to be incredibly severe,'' he added.
>
> Cryptography expert Bruce Schneier agreed.
>
> ``This is one of the worst cryptographic vulnerabilities I've seen
> in a long time,'' said Schneier, co-founder and chief technology
> officer at Counterpane Internet Security, a Cupertino,
> California-based network monitoring firm.
>
> ``What this means is that all the cryptographic protections of SSL
> don't work if you're a Microsoft IE user,'' Schneier added.

The eminent Mr Schneier must have been misquoted. What this permits is
an MITM attack, the most obscure and unlikely of the scenarios.  
Passive listening is presumably unaffected, by orders of magnitude a
greater danger.  I.e., say Yes to Mallory, say No to Eve.

> MICROSOFT DOWNPLAYS REPORT

Not that anyone will believe them, but in this case, it is indeed
appropriate to assure that MITM attacks are hard. This doesn't mean
that they shouldn't fix the bug, but this flaw is more embarressing
than devastating;  the fact that it took so long to find also points
out the relative lack of popularity that Mallory has in the real
world.

> An attacker wouldn't even need to create a fake Web site, but could
> merely intercept the data from a legitimate Web site without the
> victim knowing, Benham said.

Right, so there are two approaches:  set up a fake web site as certs
are now fakable.  Or 'merely' intercept the traffic and conduct the
MITM.  The former is plausible, but in fact it goes on a lot already,
as seen from the gold experiences.  I wonder how successful those
efforts have been?  (It's no surprise that in later posts today, Rick
van Rein talks about these efforts, as he's observing real security at
work, not dwelling in the security industry.)

> ``The reason SSL exists is to defend against these types of
> attacks,'' he said. ``If these types of attacks were so hard, nobody
> would have to use SSL.''

Oddly enough, totally true.  SSL use is not that high, simply because
certs are so hard to set up, browsers discriminate against so called
snake-oils, and, meanwhile, MITM attacks remain too rare to measure.  
So there is no great "need" in he greater society of the net (other
than the commercial needs of various security companies)

-- 
iang



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.