[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MAJOR MSIE SECURITY BUG



It's rather self-serving to call this major lack-of-feature a
MAJOR SECURITY BUG.  Sure, it limits what you can do, but if it does
what it claims to do, it's not a bug, it's just lack of vision,
and there are _far_ more targets at Microsoft for complaints about that :-)
MAJOR SECURITY BUGs are things like ActiveX and JavaScript-you-can't-turn-
off.  At least they seem to take a fail-secure approach to unknown CAs
(even if it is fail-hostilely) rather than a more typical Microsoft
fail-insecure-but-friendly fallback.

The interesting capability that setting your own CAs isn't just that
it lets you choose which service providers can be roots of a hierarchical 
tree-of-CAs model - it's that it lets you go beyond that model
to support a web-of-trust model like PGP's, which is a Good Thing.
You can duplicate this in a hierarchical world (if you must :-)
by being the your own CA tree root, and certifying the other CAs you like.

Netscape's original SSL implementations also only supported one
CA root (Verisign), but after they got that working, they added
user-selected CAs as well.  Maybe MS will add this later?  


At 11:23 AM 1/10/97 GMT+2, [email protected] wrote:
>MSIE has a MAJOR security flaw in that it limits MSIE users to a very
>restricted set of secure sites ONLY.  Netscape Navigator does not have
> this MAJOR limitation.
>The bugs prevents access to Secure Servers other that those which MS 
>has decided to grant a monopoly to.  This is both limiting to users 
>and inhibits Servers to their choice of Certificate Authorities. 
......
>When MSIE does not recognise a Certificate Authority, it prompts the
>user by saying it cannot connect to that site and gives the user no
>opportunity to connect or access the Certificate Authority.
>One of the ways the Certificate authorities are getting around this 
>problem is to publish a page listing their certificates. 
>The problem however is that users have to know this in advance and 
>MSIE gives no indication that this is
>what needs to be done or where to go.
....
>CompuSource in South Africa tries to accomnodate MSIE users by [.....]
>https://www.compusource.co.za    [.....]
>Regards,
>The Power Team
>SMTP:   [email protected]               Tel:    +27-21-75-9197
>HTTP:   http://www.compusource.co.za    FAX:    +27-21-72-8005
>FTP:    ftp://ftp.compusource.co.za     Postal: Building 6, Room 201
>                                        CompuSource (Pty) Ltd


#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)