Microsoft this week confirmed that a flaw does exist in its implementation of Secure Socket Layer (SSL), a feature of Internet Explorer designed to protect users conducting e-commerce transactions. However, it said the hole would be difficult to exploit
Last week security expert Mike Benham, writing on the BugTraq Web site, alerted users to a potentially serious flaw in the way Microsoft handles digital certificates used by the SSL protocol within Internet Explorer.
Benham suggested that Internet Explorer's inability to accurately trace the authentication of a digital certificate could allow hackers to replace a certificate from an e-commerce site with their own, thus allowing them to imitate the site.
In an article on its TechNet developer site Microsoft said that while it would be possible to imitate an e-commerce site, a hacker would still need to get users to log into the fake site instead of the genuine one.
It also suggested that users could always check the authenticity of a certificate by clicking on the padlock icon in Internet Explorer. While this can be used to check for a fraudulent certificate, Giga Information Group analyst Ken Smiley and Jan Sundgren believe users are unlikely to go to this trouble.
A Giga paper on the flaws in SSL reported that while glitches in the authentication function of SSL certificates are nothing new, the Microsoft flaw exacerbated the problem. "This flaw does make things worse because it's no longer just a matter of revoked or poorly verified certificates but of easily created fraudulent certificates," according to Smiley and Sundgren.
Analyst firm Gartner rated the flaw "medium risk" but in a paper on the topic analyst John Pescatore said it would make Internet Explorer a prime target for identity theft. He said attackers could capture passwords or credit card information from Internet users who believe they are connected to a trusted site.
"Active exploitation of the flaw could greatly undermine users' confidence in e-commerce by making them reluctant to send passwords or credit-card information over the Internet," Pescatore warned. He advised users to update all Microsoft browsers and their intrusion detection and vulnerability scanning products to detect session hijacking attempts as and when Microsoft issued a patch.
Microsoft said it was developing a patch to correct the SSL problem. "When the patch is available, we will release a security bulletin discussing the overall issue and how to apply the patch," it said on the TechNet site.
Digital certificates are based on a public key infrastructure (PKI) and provide users with a degree of protection from fraudulent Web sites. Genuine e-commerce sites are issued with a certificate from a Certification Authority (CA), which users can check to validate the authenticity of the site they visit.
The way certificates are issued means it is not possible for a single CA to authenticate every certificate on the Web globally. Thus a hierarchy of trust exists between CAs across the globe.
The trust relationship specifies whether a certificate validated by one CA is accepted by another CA further up the hierarchy and any constraints on the certificate, known as "basic constraints".
On the Bugtraq site Benham said it is possible to mimic a valid certificate within this hierarchy by exploiting a flaw in Internet Explorer.
The browser software should verify the basic constraints of the certificates and the URLs associated with them all the way up the hierarchy. But in Internet Explorer Benham said Microsoft does not check the basic constraints on the certificate. The result: "Anyone with any CA-signed certificate (and the corresponding private key) can spoof anyone else," he said.