SSL Certificate Security Flaw In Microsoft Internet Explorer

I first saw this in The Register, who attributes discovery of the flaw to Mike Benahm, but CNET has a clearer take:

The IE problem has been around for at least five years and could allow an attacker to intercept personal data when a person is making a purchase or providing information for e-commerce purposes, said Mike Benham, an independent security researcher based in San Francisco.

“If you ever typed in credit card information to an SSL site, there’s a chance that somebody intercepted it,” he said, referring to the Secure Socket Layer protocol for encryption and authentification.

IE fails to check the validity of digital certificates used to prove the identity of Web sites, allowing for an “undetected, man in the middle attack,” he said Monday.

Well, isn’t that just ducky. I’ve not yet seen much coverage of this, but the little I have seen makes me think this is far more serious in terms of the average user than it appears, given the increased popularity of online purchasing and bill paying.