Friday, March 25, 2011

Internet Explorer Certificate Security

Once upon a time in a world not too unlike this one, there was an Internet Explorer browser known as 6.0.  It was a nice little browser and had one big security advantage over all of its progeny - it not only looked at the Certificate Revocation List published by each Trusted Root Certification Authority, it also took the step of informing the user if this List could not be contacted.  That's a sane, security-conscious move right there.

Now, in a strange reversal of "Survival of the fittest" (which is a term incorrectly attributed to Charles Darwin), a genetic mutation occurred during the coding of Internet Explorer 7 whereby the CRL is still checked, but if the List cannot be contacted the user is no longer informed and continues on their merry way thinking that everything is good.  This mutated genetic code has then been successfully passed down to MSIE 8 and also on to MSIE 9.  This is not a good thing.

To address this issue, you'll need to make a Registry modification.  This isn't something that only those chosen few can do, but it is something you need to be really careful doing unless you like turning functional computers into smouldering piles of partially molten metal(1).  This Registry modification was originally listed in Microsoft Knowledge Base Article 946323 which has since been removed from the Microsoft KB.

I'm not going to repeat what's already out there in the Intarwebs, so I'll just link to an existing site showing what this Registry modification entails.  Obviously those people running an AD-based network can push this Registry entry out using GPO - Policies or Preferences depending on the version of AD/Server and your organizations policies on these sorts of things.

So, this link is basically a copy of the original (now removed) Microsoft KB article.  It adds the "FEATURE_WARN_ON_SEC_CERT_REV_FAILED" key to the Registry.  This link is to one of the original blog posts in 2007 about this security issue.

With the recent Comodo SSL breach still fresh in our minds, it should be time to ask, again, why this setting is not the default in Microsoft Internet Explorer and also why Microsoft has removed KB 946323 instead of updating it for MSIE 8 and MSIE 9.

(1) OK, your computer won't *physically* melt down, but you definitely need to be careful when editing the Registry as it can result in an unstable on unbootable Windows installation.  If we're talking about a F^HVista box here, making it unbootable may not be a bad thing - especially if this then means you can upgrade it to Windows 7!  :)

Regards,

The Outspoken Wookie

1 comment:

Michelle A. said...

This is really concerning. I'm definitely going to speak to my IT guy and get this implemented.

Michelle
Certificate Programs Admin