Re: Major IE SSL Vulnerability?

From: Peter Amstutz (tetron@interreality.org)
Date: Thu Aug 15 2002 - 03:40:11 MDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What this does is it allows one to circumvent the trust network, which in
conjunction with an attack like DNS hijacking could fool the user into
thinking they are connected to a certain web site when in fact they have
been directed to the attacker's site (which could redirect traffic to the
actual web site for a man-in-the-middle attack.) This doesn't
fundamentally compromise SSL, only the notion that the only trusted
persons on the web are the ones who bowed down and paid the mighty
verisign absurb sums of money for something that took their servers about
ten seconds to do.

The SSL certificate system is quite a scam, really, given the amount of
effort involved in actually creating and signing certificates. $100 for a
1-year certificate, $200 for a 2-year certificate? All they did was
change the expiration date for god's sake! The only way to justify
certificates being worth so much is if Verisign were legally liable for
issuing a bad certificate, because it represents their best efforts at
verifying your identity. For example, if they issue a certificate to some
unscrupulus person supplying false credentials, verisign should be sued
for damages resulting for the misuse of that certificate --- otherwise how
could they justify charging so much? (Hint, it starts with an M and ends
in "opoly")

Er, sorry about the rant. Pet peeve there. Anyhow, despite the
predictions of doom, this isn't a direct vunerability so much as a way of
increasing the effectiveness of other attacks. It does remove a potential
layer of protection against spoofing, which is something to be concerned
about.

On Thu, 15 Aug 2002, Emlyn O'regan wrote:

> This has come up today, and is of some concern to me professionally. I was
> wondering whether anyone else here knows anything about it? Harvey? I'm not
> sure if it's real, or a big hoax.
>
> Apparently, using SSL via IE (versions 4 through 6, I think, but especially
> 4 through 5.5), you are vulnerable to a relatively simple man-in-the-middle
> attack. Here's the bugtraq thread:
>
> http://online.securityfocus.com/archive/1/286895/2002-08-08/2002-08-14/1
>
> Emlyn

[ Peter Amstutz ][ amstutz@cs.umass.edu ][ tetron@interreality.org ]
[Lead Programmer][Interreality Project][Virtual Reality for the Internet]
[ VOS: Next Generation Internet Communication][ http://interreality.org ]
[ http://interreality.org/~tetron ][ pgpkey: /technology/tetron-pgp.key ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9W3cBaeHUyhjCHfcRAiLDAKCpTCriFmUEnepBotjpYhxhktmwCgCgqiQB
9NhqqW10PwY0TowrmKZW3rE=
=oWvL
-----END PGP SIGNATURE-----

---
[This E-mail scanned for viruses by Declude Virus]


This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:16:08 MST