Bugtraq: RE: Multiple Vendor "talkd" user validation fault

["0x90" <0x90 () invisiblenet net>]

On the topic of ignored security issues, SSL security in general seems to to
be ignored as well, including microsoft's lack of fixing issues with Cert
checking in Internet Explorer , which leads to an easy man in the
middle/replay attack to a certificate viewed by IE. Maybe someday, people
will listen, not today obviously - of course I notice it always becomes an
issue when it finally affects the person. In detail, we can recap e-matters
SSL issue where a flaw in Microsoft Internet Explorer allows an attacker to
perform a SSL Man-In-The-Middle attack without the majority of users
recognising it. In fact the only way to detect the attack is to manually
compare the server name with the name stored in the certificate.


for all curious http://suspekt.org click on go to secure page and if you
don't get a popup, be disappointed. Now this report was issued in 2001, and
IE 6 has not decided to fix this either. This along with an arp poison
attack of a client and gateway on a network, will easily lead to compromise
of SSL without any suspicions arising for users of IE. I'm disappointed, as
we pass SSL off has the "industry standard" web authentication protocol, and
it's implemented incorrectly, by 1) End users don't understand SSL
implementation and the definition of digital trust, 2) no one reads those
pop-ups anyway and 3) Microsoft royally fucks it up without a pop-up to
begin with. So financially for 125$ I can go and successfully sniff my
network without question and grab SSL user names and passwords, plus
whatever else I want. Are you concerned? I am.

0x90
www.invisiblenet.net