Re: (Fwd) Alleged security problems with (French) MSIE V2.0

• To: trei@process.com, www-security@ns2.rutgers.edu
• Subject: Re: (Fwd) Alleged security problems with (French) MSIE V2.0
• From: "Peter Trei" <trei@process.com>
• Date: Thu, 29 Aug 1996 16:15:41 -6
• Comments: Authenticated sender is <trei@popserver>
• Organization: Process Software
• Priority: normal
• Reply-to: trei@process.com

Here's an update on the alleged problem. Once again, I have not
tried this myself.

* The problem also seems to exist in MSIE for Windows 3.1, English
version 2.1.

* The problem occurs when the server sends the browser a certificate
signed by a non-Verisign CA (maybe any cert where the signer
is not known to the browser?).

MSIE allegedly displays a 'locked key' icon, indicating a protected
connection, but sends the GET request in the clear.

I do not know if the server (which server?) sends the requested page. 
At the minimum, the request is potentially exposed to prying eyes.

Peter Trei
trei@process.com

Disclaimer: I am not representing my employer.

• Previous: Announce: NCSA HTTPd 1.6b1 and XMosaic 2.6s_b1
• Next: RE: ActiveX - Arrogance rules (fwd)
• Index(es):
  • Index
  • Thread