[NT] Internet Explore HTTPS Certificate Attack

From: support@securiteam.com
Date: 12/24/01

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 24 Dec 2001 18:07:21 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Internet Explore HTTPS Certificate Attack


A flaw in Microsoft Internet Explorer allows an attacker to perform a SSL
Man-In-The-Middle attack without the majority of users recognizing it. In
fact, the only way to detect the attack is to manually compare the server
name with the name stored in the certificate.


There is a flaw in the way Internet Explorer checks HTTPS objects that are
embedded into normal HTTP pages. According to tests conducted, Internet
Explorer does only check if the certificate of the HTTPS server is
properly signed by a trusted CA but totally ignores if the certificate was
issued onto the correct name or has already expired.

This is in fact not dangerous because the user considers HTTPS objects
embedded in a HTTP page not secure. The problem is that Internet Explorer
flags the certificate as trusted and caches this certification trust until
your browser session ends. That means once you visited a normal http page
that included an image from the MIMed SSL Server (For more information on
MIM SSL, see: <http://www.phrack.org/show.php?p=57&a=13>
http://www.phrack.org/show.php?p=57&a=13), Internet Explorer will not warn
you about an illegal site certificate as long the certificate was signed
by for example Verisign.

A possible scenario would be:
Hacker runs a MIM attacking tool for HTTP/HTTPS in the subnet of your
site. The HTTP part of the tool auto appends

<img src="https://www.example.com/nonexistent.gif" width=1 height=1>

To any html page that is returned to your customer's browser and the HTTPS
part presents his browser a valid but stolen certificate for www.shop.com.
Internet Explorer will only check if the cert was signed by a trusted CA
when trying to display the image and won't compare the name inside the
cert or check the expiration date. If your customer now tries to login to
your site via HTTPS Internet Explorer will consider the cert trustworthy
without checking it again. Your customer will only be able to determine
that he was just tricked by manually checking the servername in the cert.
However, you can be sure that only paranoid people would check. The
majority of people don't even know how they can do so. Imagine the hacker
stole the cert from "yoursite.de". How many users of "yoursite.com" would
not trust a cert that was issued on "yoursite.de". The average user does
not know anything about SSL than it's making his payment "secure".

Proof of Concept:
A proof of concept webpage is made available at <http://suspekt.org>
http://suspekt.org. Clicking onto the "To the secure page..." link will
send your browser to https://suspekt.org without IE warning you that the
certificate was not issued onto that server. This is not a MIM but it has
the same effect: Internet Explorer will tell you a page is secure although
the certificate is illegal and its possible for a third party (anyone who
owns the given certificate) to decrypt your traffic in realtime.
Vendor Response:
26 November 2001 Microsoft was informed about this vulnerability
27 November 2001 Proof of concept page was visited by lots of MS IPs
01 December 2001 Microsoft informed us with a standard reply that they
have received the advisory
12 December 2001 Microsoft was informed that an advisory was going to be
released within the next 3 days
13 December 2001 Microsoft asked to wait because the issue is complex due
to the fact, a lot of cryptography is involved
21 December 2001 Microsoft sent an update: no patches yet, still a complex


The information has been provided by <mailto:security@e-matters.de>
Stefan Esser.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • IE https certificate attack
    ... A flaw in Microsoft Internet Explorer allows an attacker to perform ... server name with the name stored in the certificate. ... There is a flaw in the way IE checks HTTPS objects that are embedded into ... I don't know the source code of the Internet Explorer I cannot check the ...
  • Re: Https mix up.........
    ... I am working on adding https areas to a second website and am ... >> alert asking about the sites certificate. ... When I view the cert it is the cert ...
  • Re: Installing SSL on a web site
    ... how you install the cert in IIS? ... I installed a local CA on my web site using the>>> Microsoft ca server. ... I then>>> had it apply the ca certificate from the local server. ... The problem is if I enable>>> require ssl then try to https: the web page i get page ...
  • Re: Installing An Exchange Certificate.
    ... I have done this and while I had an internal Cert on OWA, ... Either way the process for implementing the certificate is as Leif ... >> can use OWA with a https. ...
  • Re: Https mix up.........
    ... Verify that you do have different cert binding to each site. ... iis mmc - site properties - directory sescurity - view certificate. ... I am working on adding https areas to a second website ...