IE and Konqueror Bug Makes SSL Insecure 452
Spad writes "The Register reports that IE and Konqueror both have a bug that allows anyone with a legit Verisign SSL certificate to issue a 'legit' certificate for a 3rd party site. IE and Konqueror don't both to check the issuer of this intermediate cert making SSL in both browsers something of a joke". Update by Hetz: if you're using KDE from CVS, the fix is inside or you can wait to next week for KDE 3.0.3 (which will have more fixes for KDE 3.0). Thanks to Waldo bastian for the blazing fast fix (95 minutes since it was reported).
funny... (Score:2, Interesting)
So, why on earth would a bank, or all companies, only allow what is probably the most insecure browser around to access the site? A bank for cryin out loud! A company that people trust to handle their hard earned cash, allows only IE to handle "secure" transactions on their site!
And don't get me started on payment processing companies partnering with MS to develop secure payment solutions... You'd think they'd partner with IBM or any other company with a decent track record of reasonable security.
Interesting page (Score:2, Interesting)
Mozilla handles it correctly (Score:2, Interesting)
Re:FP (Score:1, Interesting)
This sort of teething problem is bound to appear in Konqueror and is not really that serious. No doubt it'll be fixed and patched within a few days (or hours if history is any guide!) it's situations like this when you see just how superior Open Source is as a paradigm.
Comment removed (Score:3, Interesting)
Re:Certificates aren't very effective to begin wit (Score:3, Interesting)
I know the feeling... the only other problem is, though, how does the vast consumer-base out there deal securely online? It doesn't add anything to have to phone up to read out an SSL certificate fingerprint - you might as well just place the order over the phone!
Maybe what we need is a kind of web-of-trust like the idea of a PGP key-server, only for SSL certificates?
This just makes three (Score:3, Interesting)
I love KDE, but I will love it fully when I can stop having to load gnome-ish apps like Mozilla to cover up KDE's shortcomings.
siri
Re:Incident response? Let the race begin! (Score:4, Interesting)
Re:So? (Score:3, Interesting)
I know that Verisign is less than absolutly trust worthy. I also know they take atleast basic steps to ensure they issue a certificate to the correct entity. (Yes, they have made mistakes on that in the past, re: Microsoft).
I don't on the other hand, have any reason to believe you aren't a fly-by-night huckster waiting to receive a dozen (or thousand...) credit card numbers...
I want some level of assurance that you are indeed traceable. Even if, to some degree, its a false hope. Even if you pull off a scam on Verisign (or any other registrar) I know that there is a much larger trail to trace back to you and that it is more likely to get a good response from law enforcement authorities and/or financial institutions.
On the other hand, I've never concerned myself much with running programs which were self-signed. I mean, heck, I've run unknown programs on my computer since 1988, whats a few 'self-signed' programs...
Re:Certificates aren't very effective to begin wit (Score:3, Interesting)
Other than take money do they do that much to establish that the company is who they say they are.
Anyway the certificate can say that the company is A and the webpage can say it's company B. If the certificate is okeyed by Verisign the user won't even see the certificate by default.
Re:So? (Score:5, Interesting)
A certificate authority really is nothing different than a 3rd party who says "that certificate is legit". As you point out, anybody can be a certificate authority. However, I should be able to control who I think is a TRUSTED certificate authority, and the application should assure that I'm only told that certificate authority X certified certificate Y if that did in fact happen. If a CA goes "rogue", you can (and should) simply remove it from CA's that you trust.
This bug is much worse: IE appearently treats anyone certified by a CA as equivalent to that CA for certification of intermediates. Verisign certifies JohnDoe and then JohnDoe can transitively assert that Verisign certifies BadDude.
That is a disaster, because it means that in order to trust Verisign, you have to trust **everybody** that Verisign has ever certified, which is impossible.
Which is why I self sign everything. Since it all boils down to whether or not you trust me, why should I spend $150 trying to trick you into thinking I've passed some rigorous test for "trust".
Thats why I self-sign everything as you too
Fixed in Konqueror (Score:2, Interesting)
Date: Mon, 12 Aug 2002 10:22:55 -0700
From: Waldo Bastian
Subject: SECURITY: Konqueror SSL Vulnerability
To: kde-devel@kde.org, kfm-devel@kde.org
Konqueror (kssl to be precisely) fails to detect certificates as invalid that
have been signed by an issuer who is not allowed to do so. A patch for this
problem has been commited to both the CVS HEAD branch and the KDE_3_0_BRANCH.
KDE packages for the upcoming KDE 3.0.3 release will be updated to include
this fix. We hope to have binary packages for KDE 3.0.3 available by the
start of next week.
Thanks go to Mike Benham and Gregory Steuck for alerting us to the problem.
See also:
http://online.securityfocus.com/archive/1/
http://slashdot.org/artic
http://www.theregister.co.uk/content/4/26620.h
Cheers,
Waldo