1997-01-15 - Re: MAJOR MSIE SECURITY BUG

Header Data

From: Bill Stewart <stewarts@ix.netcom.com>
To: source@iaccess.za
Message Hash: 3f2e15764f3dc22f034f5adf8281c5c72f1b15c1ffc889a6c27015a1fad15864
Message ID: <3.0.1.32.19970114182042.0062beb8@popd.ix.netcom.com>
Reply To: N/A
UTC Datetime: 1997-01-15 07:21:23 UTC
Raw Date: Tue, 14 Jan 1997 23:21:23 -0800 (PST)

Raw message

From: Bill Stewart <stewarts@ix.netcom.com>
Date: Tue, 14 Jan 1997 23:21:23 -0800 (PST)
To: source@iaccess.za
Subject: Re: MAJOR MSIE SECURITY BUG
Message-ID: <3.0.1.32.19970114182042.0062beb8@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


It's rather self-serving to call this major lack-of-feature a
MAJOR SECURITY BUG.  Sure, it limits what you can do, but if it does
what it claims to do, it's not a bug, it's just lack of vision,
and there are _far_ more targets at Microsoft for complaints about that :-)
MAJOR SECURITY BUGs are things like ActiveX and JavaScript-you-can't-turn-
off.  At least they seem to take a fail-secure approach to unknown CAs
(even if it is fail-hostilely) rather than a more typical Microsoft
fail-insecure-but-friendly fallback.

The interesting capability that setting your own CAs isn't just that
it lets you choose which service providers can be roots of a hierarchical 
tree-of-CAs model - it's that it lets you go beyond that model
to support a web-of-trust model like PGP's, which is a Good Thing.
You can duplicate this in a hierarchical world (if you must :-)
by being the your own CA tree root, and certifying the other CAs you like.

Netscape's original SSL implementations also only supported one
CA root (Verisign), but after they got that working, they added
user-selected CAs as well.  Maybe MS will add this later?  


At 11:23 AM 1/10/97 GMT+2, source@iaccess.za wrote:
>MSIE has a MAJOR security flaw in that it limits MSIE users to a very
>restricted set of secure sites ONLY.  Netscape Navigator does not have
> this MAJOR limitation.
>The bugs prevents access to Secure Servers other that those which MS 
>has decided to grant a monopoly to.  This is both limiting to users 
>and inhibits Servers to their choice of Certificate Authorities. 
......
>When MSIE does not recognise a Certificate Authority, it prompts the
>user by saying it cannot connect to that site and gives the user no
>opportunity to connect or access the Certificate Authority.
>One of the ways the Certificate authorities are getting around this 
>problem is to publish a page listing their certificates. 
>The problem however is that users have to know this in advance and 
>MSIE gives no indication that this is
>what needs to be done or where to go.
....
>CompuSource in South Africa tries to accomnodate MSIE users by [.....]
>https://www.compusource.co.za    [.....]
>Regards,
>The Power Team
>SMTP:   source@iaccess.za               Tel:    +27-21-75-9197
>HTTP:   http://www.compusource.co.za    FAX:    +27-21-72-8005
>FTP:    ftp://ftp.compusource.co.za     Postal: Building 6, Room 201
>                                        CompuSource (Pty) Ltd


#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)






Thread