Bugtraq mailing list archives
Re: IE SSL Vulnerability
From: Paweł Krawczyk <kravietz () aba krakow pl>
Date: Sat, 10 Aug 2002 09:45:17 +0200
On Wed, Aug 07, 2002 at 12:24:19PM -0700, Mike Benham wrote:
First of all, https://www.thoughtcrime.org is NOT the demo site. Several people were confused by this email, and subsequently concluded that their browser isn't vulnerable because they got an alert that the "name on the certificate is invalid." If you would like to see a demo of this vulnerability, please email me offline.
By the way, I've performed full man-in-the-middle with a real bank involved and myselft as victim. It's easy and works perfectly, so I've put a brief description and screenshots at http://arch.ipsec.pl/inteligo.html Details on programs' setup and fake certificate generation are omitted not to provide script-kiddies with a ready recipe. Actually, you can use Mike's https://www.thoughtcrime.org/ as demo site but you first need to DNS spoof your browser into thinking that www.amazon.com has address of 66.93.78.63, which is easy using dnsspoof from dsniff for example. -- Paweł Krawczyk, Kraków, Poland http://echelon.pl/kravietz/ crypto: http://ipsec.pl/ horses: http://kabardians.com/
Current thread:
- IE SSL Vulnerability Mike Benham (Aug 06)
- Re: IE SSL Vulnerability Alex Loots (Aug 07)
- Re: IE SSL Vulnerability Mike Benham (Aug 09)
- Re: IE SSL Vulnerability Paweł Krawczyk (Aug 10)
- Re: IE SSL Vulnerability Mike Benham (Aug 09)
- Re: IE SSL Vulnerability Balazs Scheidler (Aug 10)
- Re: IE SSL Vulnerability Balazs Scheidler (Aug 10)
- Re: IE SSL Vulnerability Torbjörn Hovmark (Aug 10)
- Re: IE SSL Vulnerability (Konqueror affected too) Thomas C. Greene (Aug 12)
- <Possible follow-ups>
- RE: IE SSL Vulnerability Pidgorny, Slav (Aug 09)
- Re: IE SSL Vulnerability Torbjörn (Aug 10)
- Re: IE SSL Vulnerability robert walker (Aug 16)
- Re: IE SSL Vulnerability Charles Miller (Aug 19)
- Re: IE SSL Vulnerability J. Lasser (Aug 20)
- Re: IE SSL Vulnerability Charles Miller (Aug 19)
- Re: IE SSL Vulnerability Alex Loots (Aug 07)