From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Wed Aug 14 2002 - 20:34:26 MDT
On Wednesday, August 14, 2002, at 09:34 pm, Emlyn O'regan wrote:
> This has come up today, and is of some concern to me professionally. I
> was
> wondering whether anyone else here knows anything about it? Harvey? I'm
> not
> sure if it's real, or a big hoax.
This is real. It is not a hoax. Only Microsoft Internet Explorer has
this bug. It does not exist in Netscape or Opera or other browsers.
Microsoft's bug has existed for many releases because their proprietary
code is not reviewed by anybody else. OpenSSL and other open-source
libraries not only do not have this error, but have been quickly
confirmed by reviewers all over to be unaffected. In my opinion, this
is a good example why open source is more secure than secret source.
In typical response, Microsoft is trying to confuse the issue and claim
it is too hard for people to really use this bug. Despite the many demo
sites demonstrating this bug, Microsoft says it is not a priority one
issue for them to fix. VeriSign and other Certificate Authorities seem
more interested in getting this problem fixed. They have done nothing
wrong, but are losing trust among customers because their clients don't
utilize the security correctly.
-- Harvey Newstrom, CISSP <www.HarveyNewstrom.com> Principal Security Consultant <www.Newstaff.com>
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:16:07 MST