image

SSL-lek niet in browser, maar in Windows

vrijdag 16 augustus 2002, 12:01 door Redactie, 4 reacties

Het lek in de beveiligingstechnologie Secure Sockets Layer (SSL) dat deze week door een onafhankelijke onderzoeker werd gevonden zit niet in de browser Internet Explorer. Volgens Microsoft is het een probleem van de meeste versies van het besturingssysteem Windows. (Automatisering Gids)

Reacties (4)
16-08-2002, 16:26 door Anoniem
http://www.theregister.co.uk/content/4/26714.html

Attacking the flaw, MS says, would be well-nigh impossible for three reasons.

First, there's no easy way for an attacker to lure a victim to a malicious knock-off Web site, which MS flacks insist is a precondition for exploitation. Actually, what they say is, the attack scenario "provides no way to make the user actually arrive at the attacker's site."

Well, that's true in a sense. Luring the victim is a problem which needs to be solved or sidestepped for an attack to work. But is it strictly necessary? The short answer is no. Benham's attack tool, sslsniff, uses ARP (Address Resolution Protocol) spoofing rather than social engineering, and just grabs data from other people's SSL sessions using ARPspoof to get between client and host as a proxy, and his certificate chaining attack to defeat Windows' certificate verification mechanism. Thus an attacker can easily place himself between you and your bank and log your business using a bogus SSL certificate which IE will not warn you of.
17-08-2002, 13:18 door Anoniem
Ja, maar ik denk dat IE gewoon onderdeel is van het besturingsysteem Windows. MS kan wel beweren dat het geen fout is in de browser, maar intussen stel ik de vraag: wanneer wordt een patch voor dit probleem op internet gezet? Ik bedoel: veel mensen betalen via internet (bank en giro).

Greutz
sep.
17-08-2002, 15:46 door Anoniem
Despite the many challenges associated with exploiting the flaw, there is indeed a flaw here and Microsoft is developing a patch that will eliminate it. When the patch is available, we will release a security bulletin discussing the overall issue and how to apply the patch.

We regret any anxiety that customers may have experienced regarding this issue. Clearly, it would have been best if a balanced assessment of the issue and its risk had been available from the start. However, the report, which neglected to discuss any of the challenges associated with actually exploiting the vulnerability, was made public without any advance warning to Microsoft. Responsible security researchers have the safety of users in mind and work with vendors to ensure that the information published about potential vulnerabilities is balanced and, above all, correct. Had this been done in this case, all users’ interests would have been better served.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/IARWSV.asp
Voor de complete M$-mental-massage (tm)
19-11-2002, 13:03 door Anoniem
Als je netscape of mozilla gebruikt is er niks aan de hand. Die draaien ook onder windows. Helemaal ok is IE dus toch niet.
Reageren

Deze posting is gelocked. Reageren is niet meer mogelijk.