I recently wrote this to Bugtraq, about the Recent SSL Vulnerability (It's called an IE vulnerability in the email I was responding to, but since it affected Opera, libssl and Konquerer as well, it's really the "Pretty Much Everything Except Mozilla" vulnerability.)

On Fri, 2002-08-16, robert walker wrote:

A huge amount of infrastructure is managed remotely via SSL and IE these days. It just boggles the mind the extent to which the security integrity of that infrastructure is now under a cloud unknowing

Actually, the SSL vulnerability is a very predictable answer to an old question. For a while now, one of the big “what ifs” of Internet security has been “What if one day, the SSL infrastructure is completely compromised?” The most common hypothetical example of this was the compromise of a Verisign root signing key.

Predictions have ranged from the death of e-commerce, to the end of the world as we know it.

Now, it's not hypothetical any more. Until this is patched and the majority of users upgrade (in other words, give it two years), anyone can forge site certificates that seem valid to 90% of Internet users. The result? The news hasn't reached the “real world” at all. The story has stayed on news-for-nerds websites and in the technical section of mainstream press. E-commerce hasn't skipped a beat.

Certainly none of our¹ customers, who were so adamant when we were speccing their web-applications that it must be secured with SSL, have come screaming to us wondering what to do now anyone can man-in-the-middle them.

I'm not sure whether to be saddened or wryly amused. I think I'll go with the latter.

Charles Miller

¹ Well, none of mine anyway.