IE and Konqueror Bug Makes SSL Insecure

Spad writes "The Register reports that IE and Konqueror both have a bug that allows anyone with a legit Verisign SSL certificate to issue a 'legit' certificate for a 3rd party site. IE and Konqueror don't both to check the issuer of this intermediate cert making SSL in both browsers something of a joke". Update by Hetz: if you're using KDE from CVS, the fix is inside or you can wait to next week for KDE 3.0.3 (which will have more fixes for KDE 3.0). Thanks to Waldo bastian for the blazing fast fix (95 minutes since it was reported).

Sounds like a feature to me!

[Nonesuch]

I've been looking for a way to issue new "trusted" certificates for my web sites without having to pay big bucks to Verisign.

Little did I know, the answer was right in front of me, in the form of the one Verisign certificate I shelled out the cash for :-)

Security.

[saintlupus]

making SSL in both browsers something of a joke.

And here I was assuming that a fine MS product like Internet Explorer would embody the rock-solid security I've come to expect from the fellows in Redmond.

For shame, for shame.

--saint

Not surprising

[leviramsey]

After all, Konqueror is clearly a clone of IE (think about it: explorer vs. conqueror, both are file-managers cum web browsers, etc.). This is just a demonstration of how well the KDE people can emulate MS.

Re:Huh?

[erpbridge]

IE and Konqueror don't bother to check the issuer of this intermediate certificate, making SSL in both browsers something of a joke.

Now, in L33T SP34K:
1E 4ND KoNKw3R0r d0n'T BO+her tO cHeCK Th3 1$Su3r 0f +h15 iNTERmEdi@+E cEr+1PHiC4+3, M4K1nG 55l iN BO+h BR0w5ERS 5OMe+hIN9 0F @ JoK3.

Anyone up for Swedish Chef'ing this?

Damn.

[FreeLinux]

It's been 20 minutes now and KDE doesn't have the fix up yet.

This is just rediculous. Why are they taking so long? I don't have all day. ;)

Seriously though, with a long list of IE bugs still outstanding and Microsoft blaming Verisign, rather than fixing their software, I'll bet that KDE has a fix a month or more before MS.

Re:Huh?

[Anonymous Coward]

Can I get an english translation of the poster's last sentence?

All your kardz are belong to us.

Re:SSL is insecure?

[Anonymous Coward]

Let's try not to be nit-picky for the sake of being nit-picky.

Is "nit-picky" supposed to be hyphenated?

A joke

[Dirtside]

making SSL in both browsers something of a joke.

So, SSL, IE, and Konqueror walk into a bar...

Re:Start Timing...

[Jucius Maximus]

"6 months: most MSIE users have the security update
1 year: most Linux/BSD users get around to updating"

You forgot:

7 months: security people figure out that MSIE patch doesn't work, MSFT denies it.

9 months: microsoft releases new patch

18 months: IE users finally are patched