Netscape Communicator Inconsistent SSL Certificate Warning Vulnerability
From the CERT Advisory (see Credit):
Suppose that an attacker constructs a web site named example.com, authenticated by a certificate that does not match example.com, and convinces a victim to navigate there. Netscape will present a warning dialog indicating that the site to which the user thinks she's navigating (www.example.com) does not match the information presented in the certificate. If the user does not intend to provide any sensitive information to www.example.com, she may choose to continue with the connection (i.e., she may choose to click "OK" in response to the warning dialog), possibly attributing the warning dialog to a benevolent misconfiguration on the part of example.com or failing to understand the implications of the warning dialog.
Then, within the same session, no warning dialogs will be presented under the following circumstances:
- the attacker co-opts the DNS system in some fashion to cause the DNS name of a legitimate site to resolve to the IP address of a system under the control of the attacker
- the system under the control of the attacker is authenticated using the same certificate as www.example.com, which the user previously accepted in the warning dialog mentioned above
- the victim attempts to connect to the legitimate site (but instead gets directed to the site under the control of the attacker by virtue of the attack on DNS)
This allows the attacker to bypass the ordinary "sanity checking" done by Netscape, and the result is that the user may provide sensitive information to the attacker.