exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CA-2000-10.ie

CA-2000-10.ie
Posted Jun 6, 2000
Site cert.org

CERT Advisory CA-2000-10 - Several flaws exist in Microsoft Internet Explorer that could allow an attacker to masquerade as a legitimate web site if the attacker can compromise the validity of certain DNS information. These problems are different from the problems reported in CERT Advisory CA-2000-05 and CERT Advisory CA-2000-08, but they have a similar impact.

tags | web
SHA-256 | caa2d8e1fc0030e105ed4758efd2116e7096d4949c4c4cfa5c18509f8e8e48a8

CA-2000-10.ie

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CERT Advisory CA-2000-10 Inconsistent Warning Messages in Internet Explorer

Original release date: June 6, 2000
Last Revised: --
Source: CERT/CC

A complete revision history is at the end of this file.

Systems Affected

* Systems running Microsoft Internet Explorer

Overview

Several flaws exist in Microsoft Internet Explorer that could allow an
attacker to masquerade as a legitimate web site if the attacker can
compromise the validity of certain DNS information. These problems are
different from the problems reported in CERT Advisory CA-2000-05 and
CERT Advisory CA-2000-08, but they have a similar impact.

I. Description

Digital certificates are small documents used to authenticate and
encrypt information transmitted over the Internet. One very common use
of digital certificates is to secure electronic commerce transactions
through SSL (Secure Socket Layer). The kind of certificates used in
e-commerce transactions are called X.509 certificates. The X.509
certificates help a web browser and the user ensure that sensitive
information transmitted over the Internet is readable only by the
intended recipient. This requires verifying the recipient's identity
and encrypting data so that only the recipient can decrypt it.

The "padlock" icon used by Internet Explorer (as well as Netscape and
other browsers) is an indication that an SSL-secured transaction has
been established to someone. It does not necessarily indicate to whom
the connection has been established. Internet Explorer (and other
browsers) take steps to warn users when DNS-based information
conflicts with the strongly authenticated information contained in the
X.509 certificates used in SSL transactions. These warnings are
supplemental information to help users decide if they're connecting to
whom they think they are connecting. These steps and warnings are
designed to protect against attacks on the DNS information.

Descriptions of the problems provided by Microsoft are shown below.

IE fails to validate certificates in images or frames

When a connection to a secure server is made via either an image or a
frame, IE only verifies that the server's SSL certificate was issued
by a trusted root - it does not verify the server name or the
expiration date. When a connection is made via any other means, all
expected validation is performed.

IE fails to revalidate certificates within the same session

Even if the initial validation is made correctly, IE does not
re-validate the certificate if a new SSL session is establish with the
same server during the same IE session.

We encourage you to read Microsoft Security Bulletin MS-039 for
additional details provided by Microsoft. This document is available
at

https://www.microsoft.com/technet/security/bulletin/ms00-039.asp

II. Impact

Attackers can trick users into disclosing information (such as credit
card numbers, personal data, or other sensitive information) intended
for a legitimate web site.

III. Solution

General Recommendations When Using SSL

DNS information is fundamentally insecure, and there are a variety of
means by which an attacker can provide false or misleading DNS
information, even in the absence of any vulnerabilities in a DNS
server. Browsers attempt to compensate for this insecurity by
providing warning messages when the strongly authenticated certificate
information does not match the DNS information. While we strongly
recommend that you stay up to date with respect to patches and
workarounds provided by your browser vendor, we also encourage you to
take the following steps, particularly for sensitive transactions.

Check Certificates

The CERT/CC recommends that prior to providing any sensitive
information over SSL, you check the name recorded in the certificate
to be sure that it matches the name of the site to which you think you
are connecting. For example, in Internet Explorer 5 (for Windows),
double click on the "padlock" icon to engage the "Certificate" dialog
box. Click on the "Details" tab to see information about the
certificate, including the thumbprint. Click on the "Certification
Path" tab for information about the certificate authority that signed
the certificate. If you do not trust the certificate authority or if
the name of the server does not match the site to which you think
you're connecting, be suspicious.

Validate Certificates Independently

Web browsers come configured to trust a variety of certificate
authorities. If you delete the certificates of all the certificate
authorities in your browser, then whenever you encounter a new SSL
certificate, you will be prompted to validate the certificate
yourself. You can do this by validating the fingerprint on the
certificate through an alternate means, such as the telephone. That
is, the same dialog box mentioned above also lists a fingerprint for
the certificate. If you wish to validate the certificate yourself,
call the organization for which the certificate was issued and ask
them to confirm the fingerprint on the certificate.

Deleting the certificates of the certificate authorities in your
browser will cause the browser to prompt you for validation whenever
you encounter a new site certificate. This may be inconvenient and
cumbersome, but it provides you with greater control over which
certificates you accept.

It is also important to note that this sort of verification is only
effective if you have an independent means through which to validate
the certificate. This sort of validation is called out-of-band
validation. For example, calling a phone number provided on the same
web page as the certificate does not provide any additional security.

The CERT/CC encourages all organizations engaging in electronic
commerce to train help desk or customer support personnel to answer
questions about certificate fingerprints/thumbprints.

Note: Microsoft Internet Explorer 5, Macintosh Edition, does not
provide any means by which users can validate certificates by checking
the fingerprint/thumbprint. Our conversations with Microsoft indicate
that the Macintosh version of Internet Explorer is not affected by
these specific problems, however, because of the fundamentally
insecure nature of DNS, we recommend using a browser that does allow
users to validate certificates on whatever platform they use,
including MacOS

Specific Defenses Against These problems

Stay up to date with patches, workarounds, and certificate management
products. Appendix A lists information regarding these problems.

Appendix A Vendor Information

Microsoft Corporation

Information from Microsoft is available at

https://www.microsoft.com/technet/security/bulletin/ms00-039.asp
_________________________________________________________________

The CERT Coordination Center thanks the ACROS Security Team of
Slovenia, who originally discovered this problem, and Ric Ford,
President of MacInTouch, Inc.
_________________________________________________________________

Shawn Hernan was the primary author of this document.
______________________________________________________________________

This document is available from:
https://www.cert.org/advisories/CA-2000-10.html
______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from

https://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site

https://www.cert.org/

To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________

Conditions for use, disclaimers, and sponsorship information

Copyright 2000 Carnegie Mellon University.

Revision History
June 6, 2000: initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBOT0FD1r9kb5qlZHQEQJsVACdEBzlJ7cgHNWerGK6Ix9MQxh2Y9EAoJC4
PSqEO0xNEc0rRFmnQs0L8lSi
=LUcH
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close