Amazing Microsoft Internet Explorer bug. Read about it here, here, or here.
The way SSL works, the certs have basicConstraints extensions to show whether a cert is an end-user or CA cert? If no one checked the extensions, then any bozo could buy a
$50 end-user cert from Verisign, and act as a CA signing certs for bogus microsoft.com sites or anyone else. MSIE, up thru and include v.6, does not check the certif extensions. Anyone with a Verisign cert can be a CA!! Netscape is ok.