Vulnerability

    WAP

Affected

    WAP gateways

Description

    'Gus' found following.  In a browser environment, when you connect
    to an site  using SSL/TLS your  browser automatically checks  that
    the  domain  part  of  the  URL  matches  the  domain in the X.509
    certificate that the HTTPS server presents when you connect to it.

    Since  SSL  certificates  are  tamper-evident as the cryptographic
    signature is checked against the "root" certificates of the  large
    CAs  (Thawte,  Verisign,  Global  Trust  etc.)  this  check  gives
    assurance  that  the  requesting  party  is connected to the right
    host - i.e. you are safe from a man-in-the-middle attack.

    It appears that most WAP gateways do not carry out this check,  or
    if they do, no information about mismatches is passed back to  the
    handset.  In limited testing 3 of the 4 gateways used by UK mobile
    operators are vulnerable.  Given this ratio one would expect  this
    to be a global issue.

    A browser-based testing tool for this issue is available at

        http://wap.z-y-g-o.com/

    along with other wireless security information.

Solution

    CMG is aware of the problem  and will be issuing a patch  with the
    next upgrade. (Vodafone UK)

    Openwave (Phone.com) is shipped  vulnerable by default but  can be
    fixed   by   configuration   interface.   (one2one,   Virgin   UK,
    BTCellnet/Genie)

    Nokia on HP/UX is not vulnerable. (Orange UK, Cingular USA)

    Sprint PCS's WAP gateway does  not give a detailed error  message,
    but does not allow the  connection if the root certificate  is not
    a trusted root CA.