Date: Wed, 18 Sep 2002 17:21:13 +1000
From: "Pidgorny, Slav" <slav.pidgorny@anz.com>
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Subject: Web browser certificate Validation flaw: Netscape, Mozilla, MSIE vulnerable - still?
Group,
I'm referring to the certificate validation issues that recently made huge
press:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0862
I have seen all sorts of apocalyptic reports and anti-MS propaganda
regarding the issue, but in-depth technical analysis can't be easily found.
When I was doing my research quite a while ago
(http://online.securityfocus.com/archive/1/273101) I have noticed that some
certificates do not have Basic Constraints or any other optional fields in
the X.509 certificate. One example is the certificate used on Steve Gibson's
GRC Web site (https://grc.com). Those are V1 certs.
The problem being, if there's no Basic Constraints or Enhanced Key Usage
field on the certificate in the middle of the certification chain, there's
no mean for the client software to verify if a web server SSL certificate
was used as a CA certificate. Therefore, all platforms are vulnerable to
identity spoofing.
I wouldn't consider that as a huge problem since all Internet PKI is subject
to strict contractual agreements and violating those might well be a
criminal offence. However, I'd like to know your opinion.
Regards,
S. Pidgorny, MS MVP, MCSE/SCSA
DISCLAIMER: Opinions expressed by me is not necessarily my employer's, it is
not intended to be formal and accurate. Neither myself nor my employer
assume any responsibility for any consequences.
