<<Bug Warning: One specially crafted e-mail can entirely disable https in Mozilla/Netscape without the user noticing when it happens (Windows and Linux)>>
Hello,
I've found a vulnerability in current Mozilla releases in the certificate handling: One specially crafted email can be used to exclude the emails' recipients from HTTPS-Connections using eg. a thawte-signed cert, no user interaction is needed nor warnings shown. The vulnerability is not only exploitable by email but also by specially prepared web pages. The exploit is possible to all the certificates stored in the built-in certificate store.
The vulnerabilities have been reported to mozilla.org, as well as some linux distributors including the Mozilla browser; until now there has been no reaction.
See the details on https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127186 and on http://bugzilla.mozilla.org/show_bug.cgi?id=249004, as well as on my diploma thesis project page that can be found on https://banquo.inf.ethz.ch:8080/.
I'm looking forward to hearing from you.
Sorry this took so long to get noticed. If you mail [EMAIL PROTECTED], you will get very fast (< 1 day) response, likely including a patch and an announcement of new builds (witness the recent shell: hole in Windows versions of Mozilla products).
We're working on extending bugzilla so any security-sensitive bug causes mail to [EMAIL PROTECTED]; we sure could have used that in your case. We'll do better from now on. Thanks for the report.
/be _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
