ad info

 
CNN.com  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  

 

  Search
 
 

 
TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

TOP STORIES

More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections

(MORE)

MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 


WORLD

U.S.

POLITICS

LAW

ENTERTAINMENT

HEALTH

TRAVEL

FOOD

ARTS & STYLE



(MORE HEADLINES)
*
 
CNN Websites
Networks image


Check digital certificates in Internet Explorer 4 and 5, users cautioned

Computerworld

June 8, 2000
Web posted at: 10:46 a.m. EDT (1446 GMT)

(IDG) -- The Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University in Pittsburgh today issued a warning that newly found flaws in Internet Explorer could allow an attacker to trick users into disclosing information, such as credit-card numbers and personal data, intended for legitimate Web sites.

Internet Explorer (IE), Netscape Navigator and other browsers indicate when a Secure Socket Layer (SSL) encrypted transaction has been established, but the software doesn't indicate to whom the connection has been made. The flaws involve the way IE validates digital certificates through SSL.

  MESSAGE BOARD
 

Microsoft, which issued its own bulletin yesterday, said there are two vulnerabilities.

  • IE sometimes verifies only that the server's SSL certificate was issued by a trusted root, but the certificate's server name and expiration date are not verified.


  • Even if the initial validation is made correctly, IE doesn't revalidate the certificate if a new SSL session is established with the same server during the same browser session.

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Computerworld's home page
  Signed and delivered: An introduction to security and authentication
  Programmer discovers his third IE 5 security flaw
  Security expert's perspective on hackers
  Reviews & in-depth info at IDG.net
  E-BusinessWorld
  TechInformer
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages

Microsoft identified IE 4.0, 4.01, 5 and 5.01 as the versions that contain these flaws. It said the chances of these vunerabilities occurring are "fairly restricted" because an attacker would need to inflict a domain name system (DNS) "poisoning" redirecting a domain name to another server or physically replace a server to carry out these attacks.

The company also issued a patch for these versions of IE. Microsoft didn't return calls for additional comments by press time.

In CERT's advisory, the organization advised users that, in addition to staying up-to-date on browser patches, they should check SSL connections before transmitting sensitive data. "DNS information is fundamentally insecure, and there are a variety of means by which an attacker can provide false or misleading DNS information," according to the advisory.

Users can look at certificate details within a browser after an SSL connection is established, and check that the certificate name belongs to the site to which they think they're sending data.




RELATED STORIES:
Picking up the (digital) check
April 3, 2000
Italy to launch legally binding digital signature
January 31, 2000
VeriSign takes the pain out of digital certificates
January 17, 2000
Compromise likely on digital signature bill
November 8, 1999
Feds want a digital certificate in every pot
July 16, 1998

RELATED IDG.net STORIES:
Feds issue list of top 10 Net threats
Industry Standard
IE flaws show you can't even trust a 'secure' design
Infoworld
California inaugurates digital signatures
Civic.com
Security expert's perspective on hackers
IDG.net
Signed and delivered: An introduction to security and authentication
Javaworld
Microsoft patched IE security -- again!
PC Worls
Programmer discovers his third IE 5 security flaw
IDG.net
SSL leader speaks up
Network World Fusion

RELATED SITES:
Microsoft Security Bulletin
Microsoft patch download page
CERT home page

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 Search   

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.