IE's lock-down flaw

We've spent years teaching users that their passwords and credit card numbers are secure as long as a lock icon appears in the status bar of their browser windows. Now it turns out that this isn't true.

We’ve spent years teaching users that their passwords and credit card numbers are secure as long as a lock icon appears in the status bar of their browser windows.

Now it turns out that this isn’t true. Microsoft Internet Explorer versions 5.0 (released in 1999), 5.5 and today’s 6.0 don’t fully support SSL, says Mike Benham, a white-hat security expert. SSL is the security technology that the lock icon visually assures us is enabled.

Benham posted an explanation last month on Bugtraq, a security forum. Numerous other professionals have confirmed the hole.

The issue lies with SSL certificates. These are assigned to e-commerce websites by “certificate authorities” such as VeriSign, Thawte and several other companies. When used properly, these digitally signed certificates verify that your browser is communicating with a known website and that no one else can intercept and read your data.

The recipient of a certificate can generate an “intermediate” certificate labelled Amazon .com, PayPal.com or any other name. Benham says the Netscape and Mozilla browsers correctly check that the entire “chain” of certificates is valid but, amazingly, IE does not.

This permits a “man-in-the-middle” attack. An unscrupulous worker at an ISP, for example, could watch IE users’ credit card numbers and passwords flow by, then use them or sell them.

Steve Fallin, director of the rapid response team for WatchGuard Technologies, says this is “a pretty fundamental cryptographic flaw”. He adds: “If it’s confirmed that it’s been a flaw for three years, then it’s pretty serious.”

David Graves, engineering manager of Descan.net, explains that the fault lies with Windows itself, which Netscape and others don’t draw upon for SSL services. “A unique fix for each Windows version will need to be developed,” he says.

Steve Lipman, Microsoft’s director of security assurance, confirmed in an interview that the company is developing patches for all supported versions of Windows, back to Windows 98.

Microsoft’s response is here. The notice says exploiting the flaw would be “difficult”. But Benham replies that such attacks are simple and well known. “If they were so difficult,” he points out, “nobody would need SSL to begin with.”

It’s true that your credit card is at risk every time you give it to a waiter, and there’s a $50 fraud limit. But companies that rely on SSL for more than ordering pizza have real cause for alarm.

Starting immediately, all e-commerce sites have a duty to warn vulnerable IE users to switch to another browser for sensitive transactions. Inconvenient, but it eliminates the danger.

Send tips to contributing editor, Livingston. He regrets that he cannot answer individual questions. Send letters for publication in Computerworld to Computerworld Letters.

Join the newsletter!

Error: Please check your email address.

Tags Window Manager

More about Amazon Web ServicesLivingstonMicrosoftMozillaPayPalThawteVeriSign AustraliaWatchguardWatchguard Technologies

Show Comments
[]