Re: IE https certificate attack
From: Kevin van Haaren (kevin@vanhaaren.net)Date: 12/25/01
- Previous message: Stephen Cope: "Re: IE https certificate attack"
- In reply to: security@e-matters.de: "IE https certificate attack"
- Next in thread: Donald King: "Re: IE https certificate attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 25 Dec 2001 12:10:54 -0600 To: bugtraq@securityfocus.com From: Kevin van Haaren <kevin@vanhaaren.net>
At 3:37 PM +0100 12/22/01, security@e-matters.de wrote:
>Proof of Concept:
>
> A proof of concept webpage was put up at http://suspekt.org. Clicking
> onto the "To the secure page..." link will send your browser to
> https://suspekt.org without IE warning you that the certificate was not
> issued onto that server.
>
> This is not a MIM but it has the same effect: IE will tell you a page is
> secure although the certificate is illegal and its possible for a third
> party (anyone who owns the given certificate) to decrypt your traffic in
> realtime.
I've tested the proof of concept page with both Internet Explorer
5.1.3 under Macintosh OS X 10.1.2 and Internet Explorer 5.0 under Mac
OS 9.2.2. Both browsers report problems with the security
certificate and prompt the user if they wish to continue.
Guess the issue is only complex under Windows operating systems 8-)
Kevin
- Previous message: Stephen Cope: "Re: IE https certificate attack"
- In reply to: security@e-matters.de: "IE https certificate attack"
- Next in thread: Donald King: "Re: IE https certificate attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
