A security flaw in Microsoft's Internet Explorer (IE) Web browser can undermine the supposedly watertight Secure Sockets Layer (SSL) standard for securing online transactions and e-commerce, researchers claim.
IE's implementation of SSL contains a vulnerability which allows what is described as an "active, undetected, man-in-the-middle attack, where no dialogues are shown and no warnings given". It's not known yet if the Mac versions of IE are affected.
Security researcher Mike Benham said the problem is that IE fails to check the Basic Constraints of certificates signed by intermediate Certificate Authorities (CAs). That means that, as far as IE is concerned, anyone with a signed certificate for any domain can generate a certificate for any other domain, which will appear to be signed by a valid CA.
Describing the flaw, Internet security Web site Hideaway.net said: “Spoofing a trusted Web site is thus a trivial exploit; when combined with session hijacking, a man-in-the-middle attack is quite feasible. This destroys the whole purpose of SSL certificates in the first place.”
Benham said that IE 5 and IE 5.5 are totally vulnerable to this kind of exploit, and IE 6 is vulnerable under most circumstances.
“I would consider this to be incredibly severe,” Benham said in a newsgroup thread. “Any of the standard connection hijacking techniques can be combined with this vulnerability to produce a successful man-in-the-middle attack. Since no warnings are given and no dialogs are shown, the attacker has effectively circumvented all security that an SSL certificate provides.”
Microsoft has given no indications that it plans to fix this flaw at this time.