A flaw exists in Netscape Navigator that could allow an attacker to masquerade as a legitimate web site if the attacker can compromise the validity of certain DNS information. This is different from the problem reported in CERT Advisory CA-2000-05, but it has a similar impact. This vulnerability was recently discovered by Kevin Fu of of the Massachusetts Institute of Technology and, independently, by Jon Guyer. If a user visits a web site in which the certificate name does not match the site name and proceeds with the connection despite the warning produced by Netscape, then subsequent connections to any sites that have the same certificate will not result in a warning message. It should be noted that neither this vulnerability, nor the one described in CERT Advisory CA-2000-05 represent a weakness or vulnerability in SSL. Rather, these problems are a result of the fundamentally insecure nature of the DNS system, combined with an over-reliance on web browsers to do "sanity checking." In both cases, it is (and has been) within the power of the user to validate connections by examining certificates and verifying the certificates against their expectations. Netscape and other browsers take steps to warn users when the DNS information appears to be suspicious; the browser may not be able to do all the checks necessary to ensure that the user is connecting to the correct location. Therefore, as a general practice, the CERT/CC recommends validating certificates before any sensitive transactions.