Practical demonstration of the MSIE6 certificate path vulnerability

2002-08-10 00:00:00 +0100

The vulnerability is described in details in Mike Benham’s post to Bugtraq mailing list. Simply, MSIE fails to detect a inconsistency in certification chain of X509 certificates. This allows the attacker to “inject” his own certificate into the chain and perform a successful man-in-the-middle attack on anyone using MSIE to connect to a SSL server.

I used the following open-source and freely available tools;