In-Reply-To: <[EMAIL PROTECTED]>
Mike,
I have checked out your sample exploit, and I can confirm that my IE 5 is
vulnerable. Regarding the post by Alex Loots, the certificate is a regular
server certificate, not an intermediate CA with name constraints (if I
have understood his message correctly) and the error certainly is in the
client software and not anywhere else.
Is the error in the browser itself or is it in CryptoAPI? What about
earlier versions of IE - are they vulnerable too. Are other Microsoft
products that do certificate chain validation, such as IIS, vulnerable?
I agree that this is very, very serious, as it can easily be exploited
against a large number of people at the same time, with very little risk
of detection. There is not much that can be done to remedy the problem on
the server side. A partial remedy would be to demand client certificates,
but in most cases that requires completely changing the security
infrastructure. SSL is used to protect most Internet banks. If SSL (or
rather the IE implementation of SSL) can be broken this easily, it is very
worrying indeed.
Best regards / Torbj�rn Hovmark
______________________________________
Abtrusion Security AB
http://www.abtrusion.com
