Suggest A Fix PC Support Forums > MS Alert: IE SSL security flaw allows DoS

Full Version: MS Alert: IE SSL security flaw allows DoS

Suggest A Fix PC Support Forums > Security > Security News and Warnings

73-997563179

Dec 27 2001, 02:12 PM

e-Matters security reported a flaw Microsoft Internet Explorer (IE) that allows a remote user to perform a Secure Sockets Layer (SSL) man-in-the-middle attack without being detected by most users.

It is reported that the flaw is due to the way in which IE checks HTTPS objects that are embedded into normal HTTP pages. In this case, IE reportedly checks to ensure that the certificate of the SSL web server is properly signed by a trusted certificate authority (CA) but does not verify if the certificate has expired or if the certificate was issued for the correct host name. This is apparently accepted behavior, because HTTPS objects within HTTP pages are treated as non-secure. However, IE reportedly considers the certificate to be trusted and caches the trust relationship until the browser session ends. As a result, once this situation has occured, a man-in-the-middle attack is then possible. If the user visits a site with an expired certificate or invalid host name binding, IE will not warn of this as long as the certificate was signed by a trusted CA.

No solution was available from Microsoft at this time.

security@e-matters.de

No solution was available from Microsoft at this time.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.