View Full Version : SSL in MSIE broken.
08-13-2002, 09:49 AM
Who do you trust today? (http://www.thoughtcrime.org/ie-ssl-chain.txt)
08-13-2002, 10:18 AM
I'm not too worried about this myself, but I would be if I were a credit-card company. If my number gets stolen and used, and I report the unauthorized transactions as soon as the bill comes, I don't take the loss, the card company does.
08-13-2002, 10:22 AM
The CA verifies that the administrator legitimately owns the URL in the CN field, signs the certificate, and gives it back.
Last year(?) a CA - Verisign I think - issued a Microsoft certificate to someone who wasn't Microsoft. Somebody just called up and said "I'm with MS, I need a cert", and got one. The cert allows them to act as MS, unless you update your list of certs in your browser. Last time you did this was when?
What's worse is that a lot of Mom & Pop shops will set up a 'secure' shopping site that emails them orders. Your order is encrypted and sent to the server (looks good so far). At the server, the order is unencrypted and sent by plain text email to the store. Not so good, and no way to tell if this is happening. There goes your unencrypted card number across the internet. I *know* this happens a lot, I've spoken to ISP's and small operations that do this. Problem is that it's easy to unencrypt the order at the server, difficult to do it on your Windows machine.
Really though, standard e-commerce is pretty secure, even if your information is unencrypted. To get your info with a spoofed certificate as mentioned in the above post, someone has to convince you to shop on their site. Quite a bit of work. And to read your info in an unencrypted email, someone would have to capture the email while it's online, or hack a server and then set up software that watches for individual orders.
What normally happens is that large operations will unencrypt your info and leave it on a database on their server. Hackers will crack the server and get your info from the database. Instant gratification. Larger orgs are not only a better target, but more likely to have their order admin system with your info, on a server connected somehow to the internet. In this respect, Mom & Pop shops may actually be more secure. Once your card info is retrieved by email, it is essentially off of the internet and not available (unless their personal machine gets hacked by someone looking for card info - unlikely).
08-13-2002, 10:29 AM
Something similar happened to our flexible spending account administrator. Someone broke into their office and stole their server. It had names, addresses, DOB and SSN. We all got a warning to put a fraud notice in our credit file. It mad for a couple of interesting calls from credit grantors when I bought a car and refinanced my mortgage. Most likely the theives took it for hardware, not for the info content.
There is usually an easier way.
08-16-2002, 04:54 PM
It appears it is not a flaw in MSIE, but instead a bug in the OS!
Microsoft: SSL flaw is in operating system, not Web browser (http://www.computerworld.com/securitytopics/security/holes/story/0,10801,73507,00.html)
MS is trying to soft soap it: MS soft-pedals SSL hole (http://www.theregus.com/content/4/26010.html)
vBulletin® v3.7.6, Copyright ©2000-2013, Jelsoft Enterprises Ltd.