Slashdot Mirror

...or unless people are running unpatched browsers. Which is probably the case for 99% of IE users.

Your SSL connections should be safe from MiM attacks, unless your browser is unpatched.

Mod parent up! The reason that the recent IE certificate bug exists at all is that they don't follow the standard.
A certificate using system MUST reject the certificate if it encounters a critical extension it does not recognize
IE does not process the critical basicConstraints extension (as well as others) and still accepts the certificate. Netscape (even back to version 4) will reject a critical extension that it does not recognize.

I just tried it using Konqueror 3.0.1, and here's a screenshot of what I get when I go to the web site. After clicking continue, it prompts me again. This is similar to what I see when I come across expired certificates. After accepting the certificate despite the warnings, I see the "You've been hacked" page.

Regardless of whether you could give a shit, when you try the demo of the exploit with mozilla it just looks like a bug (it says "Error Code:-8183"), so I'd say the reporter was pretty even handed when he said he didn't know if it was a bug or by design that mozilla wasn't vulnerable.

If you hit the discoverer's web site using Mozilla 1.1b you get an -8183 error and it
will not display the page. Note this is not a complete spoofed-site demo unless you trick your DNS resolver into reporting his IP for www.amazon.com and pull up his page using SSL with that URL.

I would infer that Mozilla is correctly detecting the mistake in the certificate chain.

Notes on another practical demonstration of this bug are here.

.. to a buried page on the guy's own site. This shows a little more detail on how to get a test setup running.