[23610] in bugtraq
Re: IE https certificate attack
daemon@ATHENA.MIT.EDU (Przemyslaw Frasunek)
Tue Dec 25 12:37:41 2001
Message-Id: <200112251514.fBPFEdg15186@mailhost.freebsd.lublin.pl>
Content-Type: text/plain;
charset="iso-8859-2"
From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
To: security@e-matters.de, bugtraq@securityfocus.com
Date: Tue, 25 Dec 2001 16:14:39 +0100
In-Reply-To: <20011222153704.A8049@e-matters.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
On Saturday 22 December 2001 15:37, security@e-matters.de wrote:
> A proof of concept webpage was put up at http://suspekt.org. Clicking
> onto the "To the secure page..." link will send your browser to
> https://suspekt.org without IE warning you that the certificate was not
> issued onto that server.
Looks like Konqueror 2.2.1 (Mandrake Linux 8.1 + OpenSSL 0.9.6b) is also
vulnerable. I've got no warning when entering on this page. I've tested it
also with lynx 2.8.4rel.1 (compiled with OpenSSL 0.9.6a on FreeBSD) with the
same result.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
