IWETHEY v. 0.3.0 | TODO
1,095 registered users | 1 active user | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Patent Wars and Antitrust Forum / Microsoft practices putting its head up its ass
Post #49,278
by ben_tilly
8/13/02 9:22:43 PM
Reply
New Microsoft practices putting its head up its ass
Yesterday The Register [link|http://theregister.co.uk/content/4/26620.html|reported] about a [link|http://online.securityfocus.com/archive/1/286893/2002-08-05/2002-08-11/1|serious SSL bug] in IE.

For those who missed the thread, here is a quick description of what IE does. Certificate authorities sign ssl certificates that say that we have reason to believe that this person is who they say they are. Anyone with a certificate can sign any other certificate. And this creates a chain of signings through which you may believe that a given certificate belongs to whomever they claim to be.

The catch, of course, is that if Verisign says that I am probably Ben Tilly, it hasn't said that my declarations that rainforest_puppy is really bank_of_america are particularly believable. IE will accept that. But it should only believe that if I say that I am not just probably Ben Tilly, but also says that I am an honest soul whose representations of others are accurate. That requires it supplying a rather stronger statement, one that says that I am not just probably Ben Tilly, but am trusted to be a certificate authority. (Or more probably a certificate authority only for certificates that relate to Ben Tilly, for instance I can say that Scott is Ben Tilly's Friend Scott, but not that Scott is really Scott.)

You might ask why this is a problem, after all who cares whether or not you are really who you claim to be, isn't SSL just about keeping third parties from sniffing your traffic? It turns out that it is a big problem for online banks where it is very important that you know who you are really dealing with. It is also a problem for sniffing because if someone can invent certificates that you accept as being from who you think you are talking to, they can perform a man-in-the-middle attack on SSL. (Which SSL is supposed to prevent.)

So what is Microsoft's response? Why according to CNN they are [link|http://www.cnn.com/2002/TECH/internet/08/13/microsoft.security.ap/index.html|investigating the claim] that it might be a problem.

A clue. Not only is it a problem, but [link|http://www.thoughtcrime.org/ie.html|here] is a demonstration of how to exploit it on a local network! (Linux 2.4 required. Alternate exploits are readily available, for instance through DNS poisoning.)

Anyone care to take bets on whether the IT press will report this effort honestly enough to cause Microsoft's attempt to turn this into a public relations exercise to backfire on them?

Cheers,
Ben
Computer Science is no more about computers than astronomy is about telescopes.
-- Edsger Wybe Dijkstra (1930-2002)
Post #49,306
by boxley
8/13/02 11:31:55 PM
Reply
New well ssl in total
is a very poor way of online security. Online security should be assumed to be as secure as logging into the box locall. I personally think hardened os hosts is the best of a poor selection of inet security.
thanx,
billl
."Once, in the wilds of Afghanistan, I had to subsist on food and water for several weeks." W.C. Fields
     Microsoft practices putting its head up its ass - (ben_tilly) - (1) - Aug. 13, 2002, 09:22:43 PM EDT
         well ssl in total - (boxley) - Aug. 13, 2002, 11:31:55 PM EDT

I'm gonna break him like a wedding vow on the Jerry Springer Show.
29 ms