In the wise words of Charles Miller:
> Actually, the SSL vulnerability is a very predictable answer to an old
> question. For a while now, one of the big "what ifs" of Internet
> security has been "What if one day, the SSL infrastructure is completely
> compromised?" The most common hypothetical
On Fri, 2002-08-16 at 09:11, robert walker wrote:
> A huge amount of infrastructure is managed remotely via
> SSL and IE these days. It just boggles the mind the
> extent to which the security integrity of that
> infrastructure is now under a cloud unknowing.
Actually, the SSL vulnerability is a
In-Reply-To: <[EMAIL PROTECTED]>
Given my background in cryptographic programming,
it is difficult for me to imagine how the cause of this
alleged vulnerability could be explained as programmer
error or oversight. Yet I cannot fathom why MS would
purposely skip such a basic step.
I am wait
http://theregister.co.uk/content/4/26620.html
[]
I've not tested this on IE because several researchers posting to Benham's
BugTraq thread
(http://online.securityfocus.com/archive/1/286895/2002-08-08/2002-08-14/1)
have confirmed the behavior. But I did test it on Mozilla 0.9.4, which Benh
On Thu, Aug 08, 2002 at 01:38:46PM +0200, Balazs Scheidler wrote:
> On Mon, Aug 05, 2002 at 04:03:29PM -0700, Mike Benham wrote:
>
> > However, there is a slightly more complicated scenario. Sometimes it is
> > convenient to delegate signing authority to more localized authorities.
> > In this c
lt;[EMAIL PROTECTED]>
Sent: Tuesday, August 06, 2002 1:03 AM
Subject: IE SSL Vulnerability
>
>
> Internet Explorer SSL Vulnerability 08/05/02
> Mike Benham <[EMAIL PROT
On Mon, Aug 05, 2002 at 04:03:29PM -0700, Mike Benham wrote:
> However, there is a slightly more complicated scenario. Sometimes it is
> convenient to delegate signing authority to more localized authorities.
> In this case, the administrator of www.thoughtcrime.org would get a chain
> of certif
On Wed, Aug 07, 2002 at 12:24:19PM -0700, Mike Benham wrote:
> First of all, https://www.thoughtcrime.org is NOT the demo site. Several
> people were confused by this email, and subsequently concluded that their
> browser isn't vulnerable because they got an alert that the "name on the
> certifi
In-Reply-To: <[EMAIL PROTECTED]>
Mike,
I have checked out your sample exploit, and I can confirm that my IE 5 is
vulnerable. Regarding the post by Alex Loots, the certificate is a regular
server certificate, not an intermediate CA with name constraints (if I
have understood his message c
On Wed, 7 Aug 2002, Alex Loots wrote:
> Hi Mike,
> I visited your demo at https://www.thoughtcrime.org. It appears that Thawte is
> the TTP instead of Verisign. Does this make any difference for example the
> certificate extensions?
First of all, https://www.thoughtcrime.org is NOT the demo site
OTECTED]
Cc:
Subject: IE SSL Vulnerability
Internet Explorer SSL Vulnerability 08/05/02
Mike Benham <[EMAIL PROTECTED]>
http://www.thoughtcrime.
11 matches
Mail list logo
