 |
|
| technology > computing |
![[CNN Money]](http://i.cnn.net/cnn/images/main/fn.logo.newsnet.gif){kind=logo}
![[SI.com]](http://i.cnn.net/cnn/images/main/si.logo.gif){kind=logo}
( | |
 |
|
| |
| |
EDITIONS: | |
MULTIMEDIA: | |
E-MAIL: |
Subscribe to one of our news e-mail lists. Enter your address: |
DISCUSSION: |
CNN WEB SITES: |
 |
TIME INC. SITES: |
CNN NETWORKS: |
|
SITE INFO: |
WEB SERVICES: |
Check digital certificates in Internet Explorer 4 and 5, users cautioned
|
(IDG) -- The Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University in Pittsburgh today issued a warning that newly found flaws in Internet Explorer could allow an attacker to trick users into disclosing information, such as credit-card numbers and personal data, intended for legitimate Web sites.
Internet Explorer (IE), Netscape Navigator and other browsers indicate when a Secure Socket Layer (SSL) encrypted transaction has been established, but the software doesn't indicate to whom the connection has been made. The flaws involve the way IE validates digital certificates through SSL.
 | MESSAGE BOARD | |
|
| ||
Microsoft, which issued its own bulletin yesterday, said there are two vulnerabilities.
- IE sometimes verifies only that the server's SSL certificate was issued by a trusted root, but the certificate's server name and expiration date are not verified.
- Even if the initial validation is made correctly, IE doesn't revalidate the certificate if a new SSL session is established with the same server during the same browser session.
| MORE COMPUTING INTELLIGENCE |
IDG.net home page
|
| Computerworld's home page |
| Signed and delivered: An introduction to security and authentication |
| Programmer discovers his third IE 5 security flaw |
| Security expert's perspective on hackers |
| Reviews & in-depth info at IDG.net |
| E-BusinessWorld |
| TechInformer |
| Questions about computers? Let IDG.net's editors help you |
| Subscribe to IDG.net's free daily newsletter for IT leaders |
|
Search IDG.net in 12 languages |
Microsoft identified IE 4.0, 4.01, 5 and 5.01 as the versions that contain these flaws. It said the chances of these vunerabilities occurring are "fairly restricted" because an attacker would need to inflict a domain name system (DNS) "poisoning" ÷ redirecting a domain name to another server ÷ or physically replace a server to carry out these attacks.
The company also issued a patch for these versions of IE. Microsoft didn't return calls for additional comments by press time.
In CERT's advisory, the organization advised users that, in addition to staying up-to-date on browser patches, they should check SSL connections before transmitting sensitive data. "DNS information is fundamentally insecure, and there are a variety of means by which an attacker can provide false or misleading DNS information," according to the advisory.
Users can look at certificate details within a browser after an SSL connection is established, and check that the certificate name belongs to the site to which they think they're sending data.
RELATED STORIES:
Picking up the (digital) check
April 3, 2000
Italy to launch legally binding digital signature
January 31, 2000
VeriSign takes the pain out of digital certificates
January 17, 2000
Compromise likely on digital signature bill
November 8, 1999
Feds want a digital certificate in every pot
July 16, 1998
RELATED IDG.net STORIES:
Feds issue list of top 10 Net threats
Industry Standard
IE flaws show you can't even trust a 'secure' design
Infoworld
California inaugurates digital signatures
Civic.com
Security expert's perspective on hackers
IDG.net
Signed and delivered: An introduction to security and authentication
Javaworld
Microsoft patched IE security -- again!
PC Worls
Programmer discovers his third IE 5 security flaw
IDG.net
SSL leader speaks up
Network World Fusion
RELATED SITES:
Microsoft Security Bulletin
Microsoft patch download page
CERT home page
Note: Pages will open in a new browser windowExternal sites are not endorsed by CNN Interactive.