Security Advisory 01/2001
IE https certificate attack
Release Date: 2001/12/22
Author: Stefan Esser
Application: Microsoft Internet Explorer 5.0/5.5/6.0
Severity: Vulnerability in IE's SSL Certificate handling allows undetected SSL Man-In-The-Middle attacks
Risk: Very High
Last Modified: 2001/12/25
A flaw in Microsoft Internet Explorer allows an attacker to perform a SSL Man-In-The-Middle attack without the majority of users recognising it. In fact the only way to detect the attack is to manually compare the server name with the name stored in the certificate.
For a basic introduction into SSL MIM attacks I recommend reading:
There is a flaw in the way IE checks HTTPS objects that are embedded into normal HTTP pages. According to my tests IE does only check if the certificate of the HTTPS server is properly signed by a trusted CA but totally ignores if the cert was issued onto the correct name or has already expired. This is in fact not dangerous because the user considers HTTPS objects embedded in a HTTP page not secure. The problem is that IE flags the certificate as trusted and caches this certification trust until your browser session ends. That means once you visited a normal http page that included an image from the MIMed SSL Server, IE will not warn you about an illegal site certificate as long the certificate was signed by f.e. Verisign.
A possible scenario would be:
Hacker runs a MIM attacking tool for HTTP/HTTPS in the subnet of your site. The HTTP part of the tool auto appends
<img src="https://www.yoursite.com/nonexistent.gif" width=1 height=1>
to any html page that is returned to your customer's browser and the HTTPS part presents his browser a valid but stolen certificate for www.shop.com. IE will only check if the cert was signed by a trusted CA when trying to display the image and won't compare the name inside the cert or check the expiration date. If your customer now tries to login to your site via HTTPS IE will consider the cert trustworthy without checking it again. Your customer will only be able to determine that he was just tricked by manually checking the servername in the cert. But you can be sure that only paranoid people would check. The majority of people don't even know how they can do so. Imagine the hacker stole the cert from "yoursite.de". How many users of "yoursite.com" would not trust a cert that was issued on "yoursite.de". The average user does not know anything about SSL than it's making his payment "secure".
Proof of Concept
A proof of concept webpage was put up at http://suspekt.org. Clicking onto the "To the secure page..." link will send your browser to https://suspekt.org without IE warning you that the certificate was not issued onto that server. This is not a MIM but it has the same effect: IE will tell you a page is secure although the certificate is illegal and its possible for a third party (anyone who owns the given certificate) to decrypt your traffic in realtime.
26 November 2001 Microsoft was informed about this vulnerability
27 November 2001 Proof of concept page got visited by lots of MS IPs
01 December 2001 Microsoft informed us with a standard reply that they have received the advisory
12 December 2001 Microsoft was informed that we were going to release the advisory within the next 3 days
13 December 2001 Microsoft asked us to wait because the issue is complex due to the fact a lot of cryptography is involved
21 December 2001 Microsoft sent an update: no patches yet, still a complex issue
Until today Microsoft did not release a patch, they had nearly a month time to fix the bug. Instead they call it a very complex issue. Because I don't know the source code of the Internet Explorer I cannot check the validity of these claims, but from my point of view fixing this missing check is just a matter of copy and pasting a few lines. Unfortunately it is christmas time and especially during the last month millions of customers where buying christmas presents on the internet all around the world. That means millions of customers were shopping with insuffient protection of their private data. Because there are no patches out yet, I strongly recommend that you use Mozilla, Opera or another non MS browser to do your internet banking or shopping these days. If you think (for whatever strange reason) that you need the Internet Explorer, ensure that the certificate is the correct by comparing the servername in the certificate with the one in your browser...
Today (25th December) we found out that this vulnerability was reported to Microsoft already 2 years ago by ACROS. At that time (or better half a year later) Microsoft released the patches for this vulnerability fixing the bug within IE 4.0 and the early versions of IE 5.0. The Microsoft Security Bulletin (MS00-039) clearly states that IE5.01SP1 and IE 5.5 are not vulnerable. That means, that one of the "security patches" that Microsoft released since that date reimplemented the bug and made all IEs vulnerable again.