IE and Konqueror Bug Makes SSL Insecure

Spad writes "The Register reports that IE and Konqueror both have a bug that allows anyone with a legit Verisign SSL certificate to issue a 'legit' certificate for a 3rd party site. IE and Konqueror don't both to check the issuer of this intermediate cert making SSL in both browsers something of a joke". Update by Hetz: if you're using KDE from CVS, the fix is inside or you can wait to next week for KDE 3.0.3 (which will have more fixes for KDE 3.0). Thanks to Waldo bastian for the blazing fast fix (95 minutes since it was reported).

funny...

[Ender Ryan]

Just this weekend my fiancee was trying to pay her credit card bill online. However, the bank's site wouldn't allow any browser other than IE into their site to pay. So she used Opera and masqueraded as IE.

So, why on earth would a bank, or all companies, only allow what is probably the most insecure browser around to access the site? A bank for cryin out loud! A company that people trust to handle their hard earned cash, allows only IE to handle "secure" transactions on their site!

And don't get me started on payment processing companies partnering with MS to develop secure payment solutions... You'd think they'd partner with IBM or any other company with a decent track record of reasonable security.

Interesting page

[PacoSuarez]

Take a look here [e-matters.de]. I specially like the last paragraph about "reimplementing" the bug.

Mozilla handles it correctly

[FooBarWidget]

A few weeks ago I ran into a site (forgot which one) that has a certificate belonging to another site. Mozilla detected that and displayed a warning dialog.

Re:FP

[gazbo]

I can't believe MS have got yet another bug. Their software has just shown time and again that they have no idea how to write secure code. This sort of thing will take them months to come up with yet another Windows Update.

This sort of teething problem is bound to appear in Konqueror and is not really that serious. No doubt it'll be fixed and patched within a few days (or hours if history is any guide!) it's situations like this when you see just how superior Open Source is as a paradigm.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Certificates aren't very effective to begin wit

[PigleT]

"I'm annoyed that browsers have been swept into warning you if the site you're visiting doesn't support Verisign's cash flow."

I know the feeling... the only other problem is, though, how does the vast consumer-base out there deal securely online? It doesn't add anything to have to phone up to read out an SSL certificate fingerprint - you might as well just place the order over the phone!

Maybe what we need is a kind of web-of-trust like the idea of a PGP key-server, only for SSL certificates?

This just makes three

[sirinek]

Konqueror's javascript and DHTML support are "somewhat of a joke", so why not add SSL to that mix. :)

I love KDE, but I will love it fully when I can stop having to load gnome-ish apps like Mozilla to cover up KDE's shortcomings.

siri

Re:Incident response? Let the race begin!

[tshak]

But will the KDE team have regression tested their fix?

Re:So?

[topham]

While I agree with you as to the actual effectiveness I don't think self-signing is actually a solution.

I know that Verisign is less than absolutly trust worthy. I also know they take atleast basic steps to ensure they issue a certificate to the correct entity. (Yes, they have made mistakes on that in the past, re: Microsoft).

I don't on the other hand, have any reason to believe you aren't a fly-by-night huckster waiting to receive a dozen (or thousand...) credit card numbers...

I want some level of assurance that you are indeed traceable. Even if, to some degree, its a false hope. Even if you pull off a scam on Verisign (or any other registrar) I know that there is a much larger trail to trace back to you and that it is more likely to get a good response from law enforcement authorities and/or financial institutions.

On the other hand, I've never concerned myself much with running programs which were self-signed. I mean, heck, I've run unknown programs on my computer since 1988, whats a few 'self-signed' programs...

Re:Certificates aren't very effective to begin wit

[mpe]

Signed certificates simply state that Verisign trusts the company is who it says it is.

Other than take money do they do that much to establish that the company is who they say they are.
Anyway the certificate can say that the company is A and the webpage can say it's company B. If the certificate is okeyed by Verisign the user won't even see the certificate by default.

Re:So?

[bwt]

Any of those companies can "go rogue" and start issuing free certs to anybody who asks, which one of them did a while back (then they succombed to the pressures and revoked all the rights, which was pretty crummy).

A certificate authority really is nothing different than a 3rd party who says "that certificate is legit". As you point out, anybody can be a certificate authority. However, I should be able to control who I think is a TRUSTED certificate authority, and the application should assure that I'm only told that certificate authority X certified certificate Y if that did in fact happen. If a CA goes "rogue", you can (and should) simply remove it from CA's that you trust.

This bug is much worse: IE appearently treats anyone certified by a CA as equivalent to that CA for certification of intermediates. Verisign certifies JohnDoe and then JohnDoe can transitively assert that Verisign certifies BadDude.

That is a disaster, because it means that in order to trust Verisign, you have to trust **everybody** that Verisign has ever certified, which is impossible.

Which is why I self sign everything. Since it all boils down to whether or not you trust me, why should I spend $150 trying to trick you into thinking I've passed some rigorous test for "trust".

Thats why I self-sign everything as you too :-] Seriously, though , there is nothing wrong with self-signing so long as there is an independent way to validate that you are who you say you are. For example, I work in a military environment and our cert admins hand walk certificates from them to you. Browsers generally come with the big CA's certificates built-in, so it's much easier to validate that Verisign is Verisign.

Fixed in Konqueror

[sc0rpi0n]

Message on kde-devel:

Date: Mon, 12 Aug 2002 10:22:55 -0700
From: Waldo Bastian
Subject: SECURITY: Konqueror SSL Vulnerability
To: kde-devel@kde.org, kfm-devel@kde.org

Konqueror (kssl to be precisely) fails to detect certificates as invalid that
have been signed by an issuer who is not allowed to do so. A patch for this
problem has been commited to both the CVS HEAD branch and the KDE_3_0_BRANCH.

KDE packages for the upcoming KDE 3.0.3 release will be updated to include
this fix. We hope to have binary packages for KDE 3.0.3 available by the
start of next week.

Thanks go to Mike Benham and Gregory Steuck for alerting us to the problem.

See also:
http://online.securityfocus.com/archive/1/2 86895/2 002-08-08/2002-08-14/1
http://slashdot.org/articl e.pl?sid=02/08/12/134123 9
http://www.theregister.co.uk/content/4/26620.ht ml

Cheers,
Waldo