Last Revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Several flaws exist in Microsoft Internet Explorer that could allow an
attacker to masquerade as a legitimate web site if the attacker can
compromise the validity of certain DNS information. These problems are
different from the problems reported in CERT Advisory
CA-2000-05 and CERT Advisory
CA-2000-08, but they have a similar impact.
Digital certificates are small documents used to authenticate and encrypt
information transmitted over the Internet. One very common use of digital
certificates is to secure electronic commerce transactions through SSL (Secure
Socket Layer). The kind of certificates used in e-commerce transactions are
called X.509 certificates. The X.509 certificates help a web browser and the
user ensure that sensitive information transmitted over the Internet is
readable only by the intended recipient. This requires verifying the
recipient's identity and encrypting data so that only the recipient can
decrypt it.
The "padlock" icon used by Internet Explorer (as well as Netscape and other
browsers) is an indication that an SSL-secured transaction has been
established to someone. It does not necessarily indicate to whom the
connection has been established. Internet Explorer (and other browsers) take
steps to warn users when DNS-based information conflicts with the strongly
authenticated information contained in the X.509 certificates used in SSL
transactions. These warnings are supplemental information to help users decide
if they're connecting to whom they think they are connecting. These steps and
warnings are designed to protect against attacks on the DNS information.
Descriptions of the problems provided by Microsoft are shown
below.
When a connection to a secure server is made via either an image
or a frame, IE only verifies that the server's SSL certificate was
issued by a trusted root - it does not verify the server name or the
expiration date. When a connection is made via any other means, all
expected validation is performed.
Even if the initial validation is made correctly, IE does not
re-validate the certificate if a new SSL session is establish with the
same server during the same IE session.
We encourage you to read Microsoft
Security Bulletin MS-039 for additional details provided by
Microsoft. This document is available at
Systems Affected
Overview
I. Description
IE fails to validate certificates in images or frames
IE fails to revalidate certificates within the same session
II. Impact