[plug] Re: FW: Interesting Study
Craig Ringer
craig at postnewspapers.com.au
Sat Aug 17 12:55:56 WST 2002
> The outcome is that for the forseeable future, encrypted internet
> stuff using
> Microsoft Windows is insecure. That means it is NOT safe to use it for
> banking or other online transactions which rely on SSL technology.
Erm... actually I seem to remember reading that while the code is in
windows, not IE (and what's the difference here anyway??), the flaw only
affects IE. At least, according to MS.
From the article you just refered to:
"Company officials added that the flaw isn't in Microsoft's CryptoAPI
application program interface (CAPI) either, which would have left a
number of applications and Windows services vulnerable, not just
Internet Explorer."
<snip>
"But Culp said that the SSL flaw doesn't affect any other application
outside Internet Explorer and that it's a client-side issue only."
The key point here is that, at least according to MS (and I haven't
heard anybody argue with them about it yet) while the code resides in
the OS (libs I assume), the fault only affects MSIE. This suggests to me
that its actually in one of the libs that only need to be in IE but got
incorporated into the OS proper to make it harder to rip out / replace
IE. *sigh*.
More information about the plug
mailing list