Steve Lamb's Blog

Security Matters

Blogs

What is the Padlock for in Internet Explorer? Claims of Breaking SSL in Internet Explorer

  • Comments 1
  • Likes

I've seen sessions @ security events which claim to "Break SSL in Internet Explorer" & recently received an email along the same lines (listed after the next couple of paragraphs starting "Subject").

The "Padlock" is part of Internet Explorer as shipped in Windows. It signifies that an SSL connection (i.e. encrypted) is taking place. I seen a demonstration by a (white hat)hacker whereby a sample website included a script (that ran behind the scenes on the client computer) which added a fake padlock icon to the screen.

Windows XP Service Pack 2 defeats this attack – it prevents scripts from executing without the user being aware of and allowing them (their activation is signified in the Information Bar @ the top of the window) & it also prevents scripts from writing outside the window – i.e. can’t over-write the padlock/menus (I’ve seen that too!) or any other part of IE.

BTW: The "Padlock" icon signifies that Server-Side-SSL is active (i.e. the server has successfully authenticated itself to the client's browser via presentation of it's X5.09 PKI Certificate & proof of ownership of the associated private key). Client-side-SSL is optional (i.e. the client has successfully authenticated itself to the server following successful server-side authentication). The "Padlock" icon does not change to reflect that client-side-SSL has also taken place.

Subject: Email Security

Hi Stephen,

I had a question from a partner about the "padlock" which appears on the websites when entering a secure site. Due to recent increase in "phishing attacks" the bogus site emulates the padlock to give the impression the the person is entering a secure site whereas they aren’t. Is this "padlock" a Microsoft software component?

Comments
  • The user should be always warned to double click on the padlock to check the certificate information. This will avoid this attacks, but if you can do the fake pad thing you an then also handle that onclick event to the padlock.