This is a follow-up to my previous advisory: http://online.securityfocus.com/archive/1/286290/2002-07-31/2002-08-06/0
Thanks to everyone who helped verify the vulnerability. I've written a small tool (sslsniff) that demonstrates the severity of this vulnerability in a real-world setting. It performs undetected hijacking/sniffing of IE SSL sessions, even on a switched network. It can be found at http://www.thoughtcrime.org/ie.html Still no word from Microsoft. - Mike -- http://www.thoughtcrime.org
