Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
First iPhone worm spreads Rick Astley wallpaper
Four reasons to buy (and one reason to avoid) the Droid
Stimulus for tech and telecom $3B, but jobs still guesswork
Cisco MARS shuts out new third-party security devices
Verizon Droid buzz muted in Boston
Week in Google news: Google Dashboard, Droid fever, focus on e-commerce
Cloud computing, virtualization proponents getting antsy
Data center start-up offers energy saving software
Vendors scrambling to fix bug in Net's security
Judge dismisses lawsuit challenging Gartner's Magic Quadrant
Boston Celtics clamp down on spam
Cloud computing inevitable? Not so fast, educator says
Blue Coat slashes staff, buys S7 services company
Apple seeks new sheriff to lock up iPhones
Security /

Severe IE flaw undermines SSL security, expert says

Today's breaking news
Send to a friendFeedback

By David Legard
IDG News Service, 08/13/02

A security flaw in Microsoft's Internet Explorer Web browser can completely undermine the supposedly watertight Secure Sockets Layer standard for securing online transactions and e-commerce, researchers said Tuesday.

IE's implementation of SSL contains a vulnerability which allows what is described as an active, undetected, man-in-the-middle attack, where no dialogs are shown and no warnings are given.

Security researcher Mike Benham said the problem is that IE fails to check the Basic Constraints of certificates signed by intermediate Certificate Authorities (CA). That means that as far as IE is concerned, anyone with a signed certificate for any domain can generate a certificate for any other domain, which will appear to be signed by a valid CA.

Describing the flaw, Internet security Web site Hideaway.net said: "Spoofing a trusted Web site is thus a trivial exploit; when combined with session hijacking, a man-in-the-middle attack is quite feasible. This destroys the whole purpose of SSL certificates in the first place."

Benham said that IE 5 and IE 5.5 are totally vulnerable to this kind of exploit, and IE 6 is vulnerable under most circumstances.

"I would consider this to be incredibly severe," Benham said in a newsgroup thread. "Any of the standard connection hijacking techniques can be combined with this vulnerability to produce a successful man in the middle attack. Since no warnings are given and no dialogs are shown, the attacker has effectively circumvented all security that an SSL certificate provides."

Microsoft has given no indications that it plans to fix this flaw, and Benham said his experience showed it would be difficult to get Microsoft to address the issue.

"Last week I saw Microsoft downplay and obfuscate the severity of the IE vulnerability that Adam Megacz reported," he wrote in the newsgroup thread. That vulnerability could allow Javascript-enabled browsers to make available to an external attacker the contents of machines located on a local network or intranet.

"After seeing that, I don't feel like wasting time with the Microsoft PR department," Benham said.

The IDG News Service is a Network World affiliate.

RELATED LINKS

Severe SSL Flaw in Internet Explorer
The Hideway.net report.

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.