Yesterday The Register [link|http://theregister.co.uk/content/4/26620.html|reported] about a [link|http://online.securityfocus.com/archive/1/286893/2002-08-05/2002-08-11/1|serious SSL bug] in IE.
For those who missed the thread, here is a quick description of what IE does. Certificate authorities sign ssl certificates that say that we have reason to believe that this person is who they say they are. Anyone with a certificate can sign any other certificate. And this creates a chain of signings through which you may believe that a given certificate belongs to whomever they claim to be.
The catch, of course, is that if Verisign says that I am probably Ben Tilly, it hasn't said that my declarations that rainforest_puppy is really bank_of_america are particularly believable. IE will accept that. But it should only believe that if I say that I am not just probably Ben Tilly, but also says that I am an honest soul whose representations of others are accurate. That requires it supplying a rather stronger statement, one that says that I am not just probably Ben Tilly, but am trusted to be a certificate authority. (Or more probably a certificate authority only for certificates that relate to Ben Tilly, for instance I can say that Scott is Ben Tilly's Friend Scott, but not that Scott is really Scott.)
You might ask why this is a problem, after all who cares whether or not you are really who you claim to be, isn't SSL just about keeping third parties from sniffing your traffic? It turns out that it is a big problem for online banks where it is very important that you know who you are really dealing with. It is also a problem for sniffing because if someone can invent certificates that you accept as being from who you think you are talking to, they can perform a man-in-the-middle attack on SSL. (Which SSL is supposed to prevent.)
So what is Microsoft's response? Why according to CNN they are [link|http://www.cnn.com/2002/TECH/internet/08/13/microsoft.security.ap/index.html|investigating the claim] that it might be a problem.
A clue. Not only is it a problem, but [link|http://www.thoughtcrime.org/ie.html|here] is a demonstration of how to exploit it on a local network! (Linux 2.4 required. Alternate exploits are readily available, for instance through DNS poisoning.)
Anyone care to take bets on whether the IT press will report this effort honestly enough to cause Microsoft's attempt to turn this into a public relations exercise to backfire on them?
Cheers,
Ben