IE doesn't lock down

See correction below

WE'VE SPENT years teaching users that their passwords and credit card numbers are secure on the Web as long as a little lock icon appears in the status bar of their browser windows.

Now it turns out that this isn't true. Microsoft Internet Explorer Versions 5.0 (released in 1999), 5.5, and today's 6.0 don't fully support SSL, according to Mike Benham, a white-hat security expert. SSL is the security technology that the lock icon visually assures us is enabled.

Benham posted an explanation last month on Bugtraq, a security forum. Numerous other professionals have confirmed the hole. Please read SecurityFocus HOME Mailing List: BugTraq

The issue lies with SSL certificates. These are assigned to e-commerce Web sites by "certificate authorities" such as VeriSign, Thawte, and several other companies. When used properly, these digitally signed certificates verify that your browser is communicating with a known Web site and that no one else can intercept and read your data.

The recipient of a certificate, however, can generate an "intermediate" certificate labeled Amazon.com, PayPal.com, or any other name. Benham says the Netscape and Mozilla browsers correctly check that the entire "chain" of certificates is valid but, amazingly, IE does not.

This permits a "man-in-the-middle" attack. An unscrupulous worker at an ISP, for example, could watch IE users' credit card numbers and passwords flow by, then use them or sell them.

Steve Fallin, director of the rapid response team for WatchGuard Technologies ( http://www.watchguard.com ), says this is "a pretty fundamental cryptographic flaw." He added, "If it's confirmed that it's been a flaw for three years, then it's pretty serious."

David Graves, engineering manager of Descan.net, explains that the fault lies with Windows itself, which Netscape and others don't draw upon for SSL services. "A unique fix for each Windows version will need to be developed," he says.

Steve Lipman, Microsoft's director of security assurance, confirmed in an interview that the company is developing patches for all supported versions of Windows, back to Windows 98.

Microsoft's response is at http://www.microsoft.com/technet/security/news/IARWSV.asp . The notice says exploiting the flaw would be "difficult." But Benham replies that such attacks are simple and well known. "If they were so difficult," he points out, "nobody would need SSL to begin with."

It's true that your credit card is at risk every time you give it to a waiter, and there's a $50 fraud limit. But companies that rely on SSL for more than ordering pizza have real cause for alarm.

Starting immediately, all e-commerce sites have a duty to warn vulnerable IE users to switch to another browser for sensitive transactions. That may be inconvenient, but it eliminates the danger.

Correction

In "IE doesn't lock down" (see Sept. 2, page 20), we misreported the name of Steve Lipner, Microsoft's director of security.