InfoWorld
Lead with Knowledge
HOME/ SITEMAP
SUBJECT INDEXES
ABOUT US
WHITE PAPERS

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

SEARCH:  
Home  //  Community //  Opinions //  Article
Print Article    Email Article
Window Manager
Brian Livingston
IE doesn't lock down

See correction below

WE'VE SPENT years teaching users that their passwords and credit card numbers are secure on the Web as long as a little lock icon appears in the status bar of their browser windows.

Now it turns out that this isn't true. Microsoft Internet Explorer Versions 5.0 (released in 1999), 5.5, and today's 6.0 don't fully support SSL, according to Mike Benham, a white-hat security expert. SSL is the security technology that the lock icon visually assures us is enabled.

Benham posted an explanation last month on Bugtraq, a security forum. Numerous other professionals have confirmed the hole. Please read SecurityFocus HOME Mailing List: BugTraq

The issue lies with SSL certificates. These are assigned to e-commerce Web sites by "certificate authorities" such as VeriSign, Thawte, and several other companies. When used properly, these digitally signed certificates verify that your browser is communicating with a known Web site and that no one else can intercept and read your data.

The recipient of a certificate, however, can generate an "intermediate" certificate labeled Amazon.com, PayPal.com, or any other name. Benham says the Netscape and Mozilla browsers correctly check that the entire "chain" of certificates is valid but, amazingly, IE does not.

This permits a "man-in-the-middle" attack. An unscrupulous worker at an ISP, for example, could watch IE users' credit card numbers and passwords flow by, then use them or sell them.

Steve Fallin, director of the rapid response team for WatchGuard Technologies (http://www.watchguard.com), says this is "a pretty fundamental cryptographic flaw." He added, "If it's confirmed that it's been a flaw for three years, then it's pretty serious."

David Graves, engineering manager of Descan.net, explains that the fault lies with Windows itself, which Netscape and others don't draw upon for SSL services. "A unique fix for each Windows version will need to be developed," he says.

Steve Lipman, Microsoft's director of security assurance, confirmed in an interview that the company is developing patches for all supported versions of Windows, back to Windows 98.

Microsoft's response is at http://www.microsoft.com/technet/security/news/IARWSV.asp. The notice says exploiting the flaw would be "difficult." But Benham replies that such attacks are simple and well known. "If they were so difficult," he points out, "nobody would need SSL to begin with."

It's true that your credit card is at risk every time you give it to a waiter, and there's a $50 fraud limit. But companies that rely on SSL for more than ordering pizza have real cause for alarm.

Starting immediately, all e-commerce sites have a duty to warn vulnerable IE users to switch to another browser for sensitive transactions. That may be inconvenient, but it eliminates the danger.

Correction

In "IE doesn't lock down" (see Sept. 2, page 20), we misreported the name of Steve Lipner, Microsoft's director of security.






RELATED ARTICLES

Microsoft adopting remedies before ruling
Test Center Research Report: Security


RELATED SUBJECTS

Security
Enterprise Applications

Click here for all of Brian Livingston's past columns.
SUBSCRIBE TO: E-mail Newsletters InfoWorld Mobile InfoWorld Magazine
Home  //  Community //  Opinions //  Article Print Article    Email Article
Back to Top
 ADVERTISEMENT
 

SPONSORED LINKS

Learn to secure your PCs from new and unknown hacker attacks.
SPEED, PERSONALIZATION AND INTEGRATION: THE KEY TO E-COMMERCE SUCCESS.
Protect Your Data: Get your FREE Enterprise Backup Intelligence Kit from ADIC.
New HP digital projectors click now for limited-time introductory offers.
SeeBeyond Webinar - Topic: UCCnet, Thurs., 9/26/02 , 8-9 am PST

SUBSCRIBE
E-mail Newsletters
InfoWorld Mobile
Print Magazine
Web-based training
ABOUT INFOWORLD  |  SITE MAP  |  EMPLOYMENT  |  PRIVACY  |   CONTACT US

Copyright 2002 InfoWorld Media Group, Inc.