IE SSL Security Flaws

by William Crawford

Related link: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news…



I really hope that the flap over the latest IE Security flaw ends quickly. This gem of a problem, which allows the spoofing of digital certificates to match any domain name as long as the ultimate certificate in the chain of authority has been signed by a root certificate, has destroyed the integrity of the little lock icon at the bottom of the browser window.


While Microsoft protests (link above) that there is no real security risk, as a properly signed certificate is required, this simply isn't the case. For one thing, certificates can be compromised by other means: an improperly secured server certificate on a compromised web server could be used to create a series of bogus certificates that could be passed around the security underground. And even if transgressors bought their own certificates, I haven't noticed IE keeping a log of the various sites I've visited so I could chase down the culprit later. There's a lot of hand-waving going on here.


Of course, the real risk isn't that great. Intercepting TCP/IP communications for a man-in-the-middle attack is difficult without access to specific machines. What concerns me is the potential for companies to step back from rolling out new web based business applications on the SSL platform, out of concern that sensitive business data could be compromised. Over the last few years I'm sure it's happened at least once.


So I hope this thing doesn't blow out of proportion. Right now people are confident that the little lock icon will protect them and their data. It may not be proof from technological advance or the NSA, but customers need to be confident that they are not being placed at risk due to shoddy programming.

What's the biggest threat to business and consumer confidence on the net?