From: Jeff Weinstein <jsw@netscape.com>
Date: Sat, 14 Oct 95 00:04:37 PDT
To: cypherpunks@toad.com
Subject: Re: Same ol' massive MITM exposure in Netscape 2.01b
In-Reply-To: <Pine.SOL.3.91.951013122654.26464D-100000@chivalry>
Message-ID: <307F601F.19A2@netscape.com>
MIME-Version: 1.0
Content-Type: text/plain


Simon Spero wrote:
> 1) The client does not do any verification that the certificate used for
> the transaction is one associated with the server, allowing MITM
> substitutions as long as the server has a properly signed certificate
> 
> 2) The client does not issue warnings for redirections from one https
> page to another https page, even if the url to which it is redirected has
> a different hostname to the url originally dereferenced.

  I'm working on these right now.  A future beta will have fixes for
this.

> 3) In the case of redirection, the document info screen does not provide
> information about the originaly referenced page, just the final page.
> This allows the MITM to intercept the first request, steal the request
> data, then issue a redirect to hide the certificate used in the intercept.

  If the previous two are fixed, it doesn't seem that this is really
important.

> 4) In the beta version, the document info page does not display the
> security info (I did check with  MITM disabled).

  Did you have the disk cache turned off?

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.