[2847] in WWW Security List Archive


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: (Fwd) Alleged security problems with (French) MSIE V2.0

daemon@ATHENA.MIT.EDU (Peter Trei)
Thu Aug 29 17:54:48 1996

From: "Peter Trei" <trei@process.com>
To: trei@process.com, www-security@ns2.rutgers.edu
Date:          Thu, 29 Aug 1996 16:15:41 -6
Reply-to: trei@process.com
Errors-To: owner-www-security@ns2.rutgers.edu

Here's an update on the alleged problem. Once again, I have not
tried this myself.

* The problem also seems to exist in MSIE for Windows 3.1, English
version 2.1.

* The problem occurs when the server sends the browser a certificate
signed by a non-Verisign CA (maybe any cert where the signer
is not known to the browser?).

MSIE allegedly displays a 'locked key' icon, indicating a protected
connection, but sends the GET request in the clear.

I do not know if the server (which server?) sends the requested page. 
At the minimum, the request is potentially exposed to prying eyes.

Peter Trei
trei@process.com

Disclaimer: I am not representing my employer.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[2847] in WWW Security List Archive

Re: (Fwd) Alleged security problems with (French) MSIE V2.0

daemon@ATHENA.MIT.EDU (Peter Trei)Thu Aug 29 17:54:48 1996

daemon@ATHENA.MIT.EDU (Peter Trei)
Thu Aug 29 17:54:48 1996