[23607] in bugtraq
Re: IE https certificate attack
daemon@ATHENA.MIT.EDU (Dimitris Giannitsaros)
Mon Dec 24 20:25:42 2001
Message-ID: <003101c18cb8$64e64c10$e19810d5@win2000srv>
From: "Dimitris Giannitsaros" <daremon@ath.forthnet.gr>
To: <security@e-matters.de>, <bugtraq@securityfocus.com>
Date: Mon, 24 Dec 2001 22:20:12 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
I use IE 5.00.3315.1000 / Win2k Pro SP2 and no other patches. I am not
vulnerable: IE correctly displays the warning ("Security Alert") saying that
"The name on the security certificate does not match the name of the site"
and asking whether i want to continue. From this message i can also choose
"View Certificate" where i see that it is published for ssl-ematters.de and
not suspekt.org...
Dimitris
> Proof of Concept:
>
> A proof of concept webpage was put up at http://suspekt.org. Clicking
> onto the "To the secure page..." link will send your browser to
> https://suspekt.org without IE warning you that the certificate was not
> issued onto that server.
>
> This is not a MIM but it has the same effect: IE will tell you a page
is
> secure although the certificate is illegal and its possible for a third
> party (anyone who owns the given certificate) to decrypt your traffic
in
> realtime.
