[23625] in bugtraq
RE: IE https certificate attack
daemon@ATHENA.MIT.EDU (The Death)
Wed Dec 26 19:39:05 2001
Date: Wed, 26 Dec 2001 19:37:03 +0200
From: The Death <thedeadh@netvision.net.il>
In-reply-to: <20011222153704.A8049@e-matters.de>
To: security@e-matters.de
Cc: Bugtraq SecurityFocus <bugtraq@securityfocus.com>
Message-id: <NEBBJLCKKLCOOOAGBEAGEEANCDAA.thedeadh@netvision.net.il>
MIME-version: 1.0
Content-type: text/plain; charset=windows-1255
Content-transfer-encoding: 7BIT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Several thoughts:
1) This issue is not new, it was presented several times in few
places (e.g: Schneier's book, "Secrets and Lies"), and the main
advice here is not to trust that little lock icon, but to manually
verify that the certificate's correlation to the supposebly secure
site.
2) Tested under IE 6.0.2600 under Win 98 (Hebrew enabled if it
matters), there was no warning.
3) I believe MS's claim that cryptography is the cause of delay is
false.The cryptography there works good. There is nothing wrong with
verifing the certificate, the problem is with verifying that the
certificate matches the site. It is like having a problem with your
car's A/C, and having the repairman saying "This problem is hard to
fix, because you have a very complex 4x4 driving system in this car".
It is just not related, as far as i can see.
And that's about it.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPCoKue6B0r4ZZEp/EQIh+wCeOLtZXc1/chlGVFIpPOkjq74enncAnjGA
OC6SsDAlHQN64wT3pK/66UDU
=1ka7
-----END PGP SIGNATURE-----
