I agree, this is really, really serious. If this is correct, I believe it is one of the most serious vulnerabilities reported in a long time. People trust SSL to protect their money, and this is a vulnerability where you could easily attack thousands of users or go after the banks with a simple man-in-the-middle attack. I have feared a certificate chain vulnerability for some time now. This one certainly has the potential to hurt a lot of the little guys if someone would decide to steal their money. I wonder what the legal implications would be. I suppose, as the bug is in the client software, the banks might be safe from a legal standpoint, even though they have designed the poor security infrastructure they are using. If client certificates were used for authentication, this bug would be far less severe. It is a bit sad that this was reported without letting Microsoft know about it first, although I am not sure what they could have done had they known. To get millions and millions of end users to path their browsers is quite a task, even for Microsoft. Does this bug apply only to IE 5, 5.5 and 6 and not to earlier browsers? Is it a bug in the browser or is it a bug in CryptoAPI? Is client certificate authentication in IIS vulnerable to the same attack? Best regards, Torbjörn Hovmark ______________________________________ Abtrusion Security AB http://www.abtrusion.com ----- Original Message ----- From: "Mike Benham" <moxie@thoughtcrime.org> To: <bugtraq@securityfocus.com> Sent: Tuesday, August 06, 2002 1:03 AM Subject: IE SSL Vulnerability > > ======================================================================== > Internet Explorer SSL Vulnerability 08/05/02 > Mike Benham <moxie@thoughtcrime.org> > http://www.thoughtcrime.org > > ======================================================================== > Abstract > > Internet Explorer's implementation of SSL contains a vulnerability that > allows for an active, undetected, man in the middle attack. No dialogs > are shown, no warnings are given. > > [...]
