×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IE and Konqueror Bug Makes SSL Insecure

CmdrTaco posted more than 11 years ago | from the well-doesn't-that-suck dept.

Security 452

Spad writes "The Register reports that IE and Konqueror both have a bug that allows anyone with a legit Verisign SSL certificate to issue a 'legit' certificate for a 3rd party site. IE and Konqueror don't both to check the issuer of this intermediate cert making SSL in both browsers something of a joke". Update by Hetz: if you're using KDE from CVS, the fix is inside or you can wait to next week for KDE 3.0.3 (which will have more fixes for KDE 3.0). Thanks to Waldo bastian for the blazing fast fix (95 minutes since it was reported).

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

452 comments

Wow... (-1, Troll)

Klerck (213193) | more than 11 years ago | (#4053993)

After all this time of blaming Microsoft for stealing code, it turns out Konqueror stole code from Microsoft. For shame.

Shut up you fag. (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4054040)

Since trollaxor.com is gone, you feel the need to spread your unique brand of faggotry back to Slashdot. The only good thing about Trollaxor.com is that it kept queers like you away.

Go away, you are scum.

We didn't need to... (-1)

JismTroll (588456) | more than 11 years ago | (#4054187)

The faggotry is already readily apparent. We just sit back and mock while faggots like you tacosnot eachother with your homoerotic Lunix zealotry.

And... (0)

Anonymous Coward | more than 11 years ago | (#4053998)

what about the core of konqueror (Mozilla)?

Re:Addressed in the article (1)

ianscot (591483) | more than 11 years ago | (#4054017)

Konqueror turned out quite vulnerable, as I mentioned above. Mozilla was not vulnerable, but I'm not sure if that's because it handled the situation properly, or is, ironically, somehow too buggy to be exploited.
The author checked.

Re:And... (1)

spencerogden (49254) | more than 11 years ago | (#4054018)

How exactly is mozilla the core of konq?

if you install kde-bindings ... (2, Informative)

dlasley (221447) | more than 11 years ago | (#4054217)

if you install kde-bindings for konqueror when you install KDE then it uses the mozilla engine to render HTML/CSS/JavaScript etc. when you surf. however, i don't believe installing kde-bindings exempts konqueror from this problem - Security is handled in a separate module within the Control Center. anyone know otherwise?

Re:And... (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4054033)

Mozilla isn't the core of Konqueror. The KDE folks made their own thing, duplicating the effort of others rather than combining their efforts... This *is* open sores software, after all.

Re:And... (0)

Anonymous Coward | more than 11 years ago | (#4054055)

But why duplicate something horrendously bloated and slow when you can write a good, clean and fast implementation yourself? Isn't that what Open Source is all about? Otherwise we wouldn't have alternatives to Microsoft Windows.

Watch this (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4054072)

Watch the above post get moderated down to -1 Troll by some zealous Mozilla-head...

Huh? (1)

shadow303 (446306) | more than 11 years ago | (#4053999)

Can I get an english translation of the poster's last sentence?

Re:Huh? (0)

CptNoSkill (528594) | more than 11 years ago | (#4054052)

There's no checking of basic constraints. Thus an attacker can obtain a legitimate SSL cert for his domain and use it to sign a dummy cert for a second site...More specifically, a cert which should not be used to sign others simply isn't checked. It's entirely possible to specify that a given cert is not valid to sign others

Sometimes it helps to read the article before asking questions....

Re:Huh? (2, Funny)

erpbridge (64037) | more than 11 years ago | (#4054065)

IE and Konqueror don't bother to check the issuer of this intermediate certificate, making SSL in both browsers something of a joke.

Now, in L33T SP34K:
1E 4ND KoNKw3R0r d0n'T BO+her tO cHeCK Th3 1$Su3r 0f +h15 iNTERmEdi@+E cEr+1PHiC4+3, M4K1nG 55l iN BO+h BR0w5ERS 5OMe+hIN9 0F @ JoK3.

Anyone up for Swedish Chef'ing this?

Interface this (2)

First Person (51018) | more than 11 years ago | (#4054127)

Now, in L33T SP34K:

Clearly, this [google.com] is for you. As for your Scandanavian relatives with professional interests in cooking, you might suggest they visit this [google.com] instead.

Re:Huh? (0)

Anonymous Coward | more than 11 years ago | (#4054200)

IE und Kunqooerur dun't buzeer tu check zee issooer ooff thees intermedeeete-a certeefficete-a, mekeeng SSL in but broosers sumetheeng ooff a juke-a.

From the Rinkworks Dialectizer [rinkworks.com]...

Re:Huh? (5, Informative)

sporty (27564) | more than 11 years ago | (#4054066)

Let's say I go to verisign and get a certificate for encryption, which also garantees my identity. With in the cert, is my information, encryption information, where the cert came from and who issued the cert. I can use my cert to generate other certs using encryption software.

What this means, for people who have browsers which don't check where the cert came from, will not be warned that a certificate was granted from an untrusted source. Who are trusted sources? AOL, Thawte, Verisign.. etc.. Look in browser prefs for certificate authorities; the trusted circle of people to say you are who you are.

Why is this dangerous? Well, for one, you can claim you are whomever you wish, while looking like you are from this trusted circle. You look like you are from this trusted circle because no one claims otherwise. Your browser would usually bitch at you about certs made from non-authorities. But since your browser won't bitch about where your cert came from, and just looks at the authority..

So what if it isn't from a trusted circle? Using this in combination with dns spooofing, you could get people to give you information over ssl "secure connection" (rolling eyes) without the browser bitching at you that the cert you are looking at was made by verisign but not issued by verisign.

Re:Huh? (0)

Anonymous Coward | more than 11 years ago | (#4054112)

Still, with checking in place, I can just go to verisign, get me a cert. Start producing certs, selling to Jack O'Fraud, pornsites, whatever. Your browser wont complain.
When someone figures out I was in the trust chain, well, ofcourse my laptop with all original certs were stolen a few months back.
Or I go hide in Mexico a few months...
Gee.. are we really trusting this thing.

Re:Huh? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4054069)

Grabble googolo Konqueror guiq IExplorer fa grety SSL powomat guiq.
(atleast how i interpreted it.)

Re:Huh? (1, Funny)

Anonymous Coward | more than 11 years ago | (#4054178)

Can I get an english translation of the poster's last sentence?

All your kardz are belong to us.

SSL (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4054000)

First stolen credit card post.

See! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4054001)

This is exactly why all you Konqueror users should be using Mozilla, or at least KMozilla.

Konqueror (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4054004)

What do you expect from a group of sweaty hobbyist programmers that pigheadedly insist on naming their programs in Klan-talk?

Klan-talk? (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4054032)

What the hell is "Klan-talk"?

What about Mozilla (1)

SpanishInquisition (127269) | more than 11 years ago | (#4054005)

I assume that if you don't mention it,Mozilla doesn't have this problem?

Re:What about Mozilla (4, Informative)

baldass_newbie (136609) | more than 11 years ago | (#4054024)

From the article:
"Mozilla was not vulnerable, but I'm not sure if that's because it handled the situation properly, or is, ironically, somehow too buggy to be exploited."

I don't know if that's exactly a show of support. It goes into more depth if you'd bother to read the article.

Re:What about Mozilla (1)

Frank Grimes (211860) | more than 11 years ago | (#4054132)

"Mozilla was not vulnerable, but I'm not sure if that's because it handled the situation properly, or is, ironically, somehow too buggy to be exploited." I don't know if that's exactly a show of support. It goes into more depth if you'd bother to read the article.
He was using an old version of Mozilla (0.94). Has anybody tried this with 1.0 or 1.1?

Re:What about Mozilla (2, Informative)

Jucius Maximus (229128) | more than 11 years ago | (#4054195)

"Has anybody tried this with 1.0 or 1.1?"

I've had Moz 1.1 complain about certificates where the cert company was inconsistent with the issuer.

Re:What about Mozilla (0)

Anonymous Coward | more than 11 years ago | (#4054025)

RTFA
But I did test it on Mozilla 0.9.4, which Benham says isn't vulnerable, and Konqueror 3.0 (KDE 3.0.2 on SuSE 8.0), which he doesn't mention.

Konqueror turned out quite vulnerable, as I mentioned above. Mozilla was not vulnerable, but I'm not sure if that's because it handled the situation properly, or is, ironically, somehow too buggy to be exploited.

Re:What about Mozilla (2, Informative)

CptNoSkill (528594) | more than 11 years ago | (#4054026)

No, if (shock) you had read the article, you would have seen that Mozilla (.94) is working fine and does not suffer from this problem. It has yet (IIRC) to be tested on newer versions, but they should still be fine...

Re:What about Mozilla (2)

LoonXTall (169249) | more than 11 years ago | (#4054110)

The version of this exploit referenced from Larholm's unpatched IE vulnerabilities does not work in Moz 1.0-RC3. It fails with "connection refused".

Mozilla handles it correctly (2, Interesting)

FooBarWidget (556006) | more than 11 years ago | (#4054203)

A few weeks ago I ran into a site (forgot which one) that has a certificate belonging to another site. Mozilla detected that and displayed a warning dialog.

Bingo (-1, Troll)

tanveer1979 (530624) | more than 11 years ago | (#4054008)

"IE and Konqueror don't both to check the issuer of this intermediate cert making SSL in both browsers something of a joke."

And it was caught so late! And that makes me think wether the abouve statement is right? If it was somehting very serious and obvious... then it should have been caught long time ago.
I wonder how many more bugs are lurking!

Heh (3, Insightful)

kraf (450958) | more than 11 years ago | (#4054010)

Has Slashdot become the comment board for The Reg articles ?

Re:Heh (1)

casings (257363) | more than 11 years ago | (#4054063)

the problem is this was on bugtraq way before it was on the register :(

Re:Heh (1)

taviso (566920) | more than 11 years ago | (#4054141)

Thomas C Greene makes a living out of reading bugtraq and regurgitating it on the register, his articles consist of little else except the odd convention commentary.

my favourite comment:


Konqueror turned out quite vulnerable, as I mentioned above. Mozilla was not vulnerable, but I'm not sure if that's because it handled the situation properly, or is, ironically, somehow too buggy to be exploited.


this seems to be a pretty black & white flaw, the browser is either vulnerable or not vulnerable, how can it be "quite vulnerable" ?

and why on earth is he flaming mozilla for handling the situation correctly ?, another typical TCG comment - plenty of opinion, not much fact.

Re:Heh (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4054151)

and "regulations" have them up to 4 days late....

you mean it's not?

Sounds like a feature to me! (4, Funny)

Nonesuch (90847) | more than 11 years ago | (#4054011)

I've been looking for a way to issue new "trusted" certificates for my web sites without having to pay big bucks to Verisign.

Little did I know, the answer was right in front of me, in the form of the one Verisign certificate I shelled out the cash for :-)

Security. (2, Funny)

saintlupus (227599) | more than 11 years ago | (#4054012)

making SSL in both browsers something of a joke.

And here I was assuming that a fine MS product like Internet Explorer would embody the rock-solid security I've come to expect from the fellows in Redmond.

For shame, for shame.

--saint

Re:Security. (1, Insightful)

Anonymous Coward | more than 11 years ago | (#4054097)

I know.. At least those dirty GNU hippies got it right.

What? You say konqueror's affected?

"You"? (1)

saintlupus (227599) | more than 11 years ago | (#4054174)

You say konqueror's affected?

No, _I_ say konqueror's a dreadful piece of shit. Or at least is was circa KDE 2.2.x -- haven't used it since.

Unless you meant "you" as in "all the Slashbots", in which case I would remind you that not everyone posting here is a filthy GNU hippie.

--saint

Re:Security. (1, Flamebait)

doofusclam (528746) | more than 11 years ago | (#4054185)

And here I am on Slashdot, assuming that a topic which shows vulnerabilities in both Konqueror and IE would refrain from the IE bashing, or maybe bash both?

But no some dumbass comes out and says something stupid anyway. You gonna bash Konqueror now??

Come on! (-1, Offtopic)

sofo (18554) | more than 11 years ago | (#4054014)

You can plaster Slashdot with horrid Star Wars and Lord of the Rings spoof ads. but you cannot check the spelling and grammar of the posts.

Scary

SSL is insecure? (1, Insightful)

dave-fu (86011) | more than 11 years ago | (#4054020)

Funny, I'd say the implementations are flawed and they're insecure. If the adhered to the RFC as it was written (rather than glossing over one little step), millions of users wouldn't be in a bind here.
That said, calling SSL insecure is about as sane as calling email insecure because flawed implementations are plagued with problems or http insecure because some web servers choke on archaic flags and such.
The moral of the story? Read your RFCs and then re-read them with a friend or two to make sure you read them right the first time.

Re:SSL is insecure? (5, Insightful)

kasparov (105041) | more than 11 years ago | (#4054076)

Since the title of the article is "IE and Konqueror bug makes SSL Insecure" and the article body says "IE and Konqueror don't both to check [sic] the issuer of this intermediate cert making SSL in both browsers something of a joke," then I would venture to say that they were not calling SSL in itself insecure. Let's try not to be nit-picky for the sake of being nit-picky.

Re:SSL is insecure? (2, Insightful)

Valar (167606) | more than 11 years ago | (#4054164)

Ask yourself, how is that insightful? The author clearly intended that the SSL functionality in the browsers is a joke. Not SSL itself. In fact, it says that both in the story and the comment. Do not be tempted onto the moderation bandwagon!

Re:SSL is insecure? (1)

timcuth (73315) | more than 11 years ago | (#4054169)

I don't know the answer to whether "SSL in itself" is insecure, but as an Oracle DBA, I just received a security warning from Oracle that states "There are remotely exploitable buffer overflow vulnerabilities in OpenSSL versions prior to 0.9.6e". This sounds to me like it is SSL itself that has the problem (if, indeed, this is the same problem).

Here are Oracle's reference links:
http://www.openssl.org/news/secadv_2002073 0.txt
http://www.cert.org/advisories/CA-2002-23.h tml

Tim

Re:SSL is insecure? (0)

Anonymous Coward | more than 11 years ago | (#4054107)

Maybe I missed it, but who's calling SSL insecure? The article simply points out that there is a bug in Konqueror and MSIE that causes SSL to be handled improperly. ...or was this just making an issue out of nothing because most moderators wouldn't notice? Combined with the fact that you posted only minutes after the story went up on the front page, you've got a sure-fire recipe for a +5 score. Way to go!

All Your Bugs Are Belong to Us (-1)

Trebinor (156202) | more than 11 years ago | (#4054027)

"IE and Konqueror don't both to check the issuer of this intermediate cert making SSL in both browsers something of a joke."

What you say?!

Secure SSL is a joke (0, Troll)

Anonymous Coward | more than 11 years ago | (#4054028)

with names displayed in a font in which capital-I and lower-case-l look the same, do you accept this certificate from lnteI?

Not surprising (2, Funny)

leviramsey (248057) | more than 11 years ago | (#4054038)

After all, Konqueror is clearly a clone of IE (think about it: explorer vs. conqueror, both are file-managers cum web browsers, etc.). This is just a demonstration of how well the KDE people can emulate MS.

humm.. (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4054047)

Ok what is so insequre here. Must sites use SSL to just encrypt the damn stream so sniffers will see garbage.

Re:humm.. (0)

Anonymous Coward | more than 11 years ago | (#4054190)

ummmm no, most sites use it to stop man-in-the-middle attacks, and so you know your web traffic is going to who you think it is, and not some dude who poisoned your dns.

How long have the blackhats known? (1, Troll)

Jeppe Salvesen (101622) | more than 11 years ago | (#4054051)

Really - wouldn't this sort of vulnerablility be possible to extract by listening intently to the https behavior?

And is this OpenSSL-wide? Is that what Konqueror uses? And - how could this vulnerability exist in an open source library?

The Joke had already been made... (1)

marko123 (131635) | more than 11 years ago | (#4054056)

When companies set themselves up to charge hundreds of dollars for strings of unique data called Certificates. It's frigging disgusting. I'd trust a private key long before I bought a certificate by companies who slam, and from companies who sold my identity to spammers.

Hang on, which one was which?

Re:The Joke had already been made... (1)

casings (257363) | more than 11 years ago | (#4054088)

the problem is the client. If you have a private key and a browser comes up with an erroneous key, what is stopping someone from doing a mim attack on you because the client can't tell the difference between a faked key and the one that he has to push yes to upon entering the damn site?

unfortunately these companies are trusted, and should be. I don't like verisign anymore than the next person but who else is gonna do it, M$?

Re:The Joke had already been made... (3, Insightful)

sphealey (2855) | more than 11 years ago | (#4054202)

the problem is the client. If you have a private key and a browser comes up with an erroneous key, what is stopping someone from doing a mim attack on you because the client can't tell the difference between a faked key and the one that he has to push yes to upon entering the damn site?
Have you ever known anyone (except perhaps Bruce Sterling) to visit a site to get a download or submit an order, get a "certificate not known" message, and do anything except click "Proceed"? Joe and Jane sysadmin, much less Richard and Sally end user, have no idea how certificates work and what answers should be given to what dialogue.

Totally broken protocol from the end users' perspective.

sPh

Whoah... (0, Flamebait)

Anonvmous Coward (589068) | more than 11 years ago | (#4054059)

... you mean Linux isn't 100% secure? How humbling!

Re:Whoah... (2)

elmegil (12001) | more than 11 years ago | (#4054136)

This gives us a beautiful opportunity to demonstrate the advantages of open source over closed source when it comes to bugfixes. I'm really interested to see the results and whether reality lives up to rhetoric.

Beating the Slashdot Effect (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4054061)

Here is my great idea for beating the Slashdot Effect. It is guaranteed to be effective - just follow these easy steps:

1. Don't assume that just because a site appears on slashdot that it is going to be:
[a] even remotely interesting
[b] within the realms of your tiny brains to understand
[c] in any way related to anything that will ever improve your life, health, career, sex-appeal etc

2. Don't complain about the "poor little site" that got slashdotted. In order to know the site has gone down, you must have clicked the link numbnuts. And NO, pressing F5 doesn't improve your chances.

3. If by chance you see a site that you really need to visit consider these options:
[a] check the google cache
[b] go read about it on The Register - the Brits are much more capable reporters than the Slashdot baboons.
[c] wait until tomorrow. contrary to james bond films, the world is not full of evil geniuses hell-bent on destroying the world and robbing you of your precious internet.

4. Finally if you are one the egotistical maniacs who think that posting a story to slashdot will help you make friends consider the following:
[a] make a mirror of the poor site before you post
[b] stop. think. is it worth it? the slashdot baboons are NOT going to invite you round their house for tea.
[c] i know that this is hard to understand but kudos does not exist. its all in your head. geeks don't like each other - they are geeks for christ sake.
[d] if you found something cool on a news site, take a moment to think about it. Its on a news site already. A place where people go to read news.

On my opinion it's not a bug - it's a feature! (1)

WetCat (558132) | more than 11 years ago | (#4054071)

IMHO:
Finally get rid of that "Certificate check" stuff!

Reality check: people do not use certificates to check recipient validity. They use SSL to cover traffic in transit. Man in the middle attack is much more remote possibility than having unencripted traffic flow.

People that didn't check certificates are getting what they ought to.

It's the front page! ARG. (0, Offtopic)

debiandude (515835) | more than 11 years ago | (#4054074)

Can't we check before we post!
IE and Konqueror don't
both to check the issuer of this intermediate cert making SSL in both browsers something of a joke

Hey Microsoft !!!! (-1, Redundant)

Aceticon (140883) | more than 11 years ago | (#4054075)

*show tongue*
Na, na, na, na, naa, na ...

...


What do you mean Konqueror has it too ???

...


Oops ... please disregard my post.

Spoof? (1)

Density_Altitude (250074) | more than 11 years ago | (#4054078)

After associating Benham's test-page IP with www.amazon.com in my hosts file I found that in Konqueror, following a link to https://www.amazon.com brought me immediately to the 'you've been hacked' page
It seems normal to me that after associationg the IP with the amazon domain name in your hosts file, the malicious IP gets precedence over the autoritative association from the DNS.
So he dosen't get to the real amazon.com, obviously. If this attack requires a domain spoof it's quite unlikely to happen IMHO.

Re:Spoof? (2)

danheskett (178529) | more than 11 years ago | (#4054145)

Yeah, this seems really, really unlikely to occur. The chain of events that it'd take to make it work against a live, functioning server would be pretty impressive.

Man-in-the-middle attacks are very complex and not likely to be pulled off "in the wild".

But still, its a bug. It must be fixed.

Re:Spoof? (2)

gmack (197796) | more than 11 years ago | (#4054197)

I disagree they are easier to pull off than people think. DNS buffer overflows have been rather common in the past and for the longest time IE allowed hostile pages to overwrite c:\windows\hosts (Not sure if they have even fixed this issue)

Re:Spoof? (3, Insightful)

roca (43122) | more than 11 years ago | (#4054209)

> Man-in-the-middle attacks are very complex and
> not likely to be pulled off "in the wild".

No. MITM attacks are very easy to pull off with the right tools. You can easily take control of any TCP connection made by any other machine on the same Ethernet. Even if the network is fully switched you can use ARP poisoning to get around that.

Of course, if you manage to take control of a DNS server then you can easily do MITM attacks against many machines. Heck, do you trust the employees of your ISP with your banking information?

Re:Spoof? (4, Informative)

gmack (197796) | more than 11 years ago | (#4054157)

Don't be so sure about that. For the longest time windows allowed javascript to edit c:\windows\hosts (has the same affect)

Also the entire *point* of SSL certs is to make this sort of thing impossible. It should have popped up a warning telling the user that it wasn't the real certificate.

Guess KDE tried to emulate windows a bit to much (0)

SmallFurryCreature (593017) | more than 11 years ago | (#4054081)

I never liked KDE, so sue me. It for my tastes tries to hard to be like windows including its online HELP crap in html. Thank god then that I never used it :-) as sadly they seem to take over the shoddy coding as well.

Oh and please I do know that this is probably just a simple oversight that they will patch in a few hours. Unlike MS wich probably includes a EULA requiring you to sign over you're first born. This is just a way for me to stab back against all those KDE users that make fun of my enlightenment/opera setup.

Start Timing... (3, Insightful)

Vengie (533896) | more than 11 years ago | (#4054084)

Before the M$ vs Everyone war starts...how about we have a fair and simple timing contest.....where does this get fixed first? ;)

Re:Start Timing... (1)

Winterblink (575267) | more than 11 years ago | (#4054196)

Wow, a geek race. This should be interesting. Not. Who the hell cares which group fixes the bug the fastest, as long as both fix it in a timely fashion (ie. as fast as possible)?

So? (5, Insightful)

dasmegabyte (267018) | more than 11 years ago | (#4054085)

The certificate issuer is not exactly a secure concept anyway. The whole idea of "trusted providers" being a list of folks engineered by the browser's authors is just asking for trouble. Any of those companies can "go rogue" and start issuing free certs to anybody who asks, which one of them did a while back (then they succombed to the pressures and revoked all the rights, which was pretty crummy).

Besides, the contracts of all cert providers totally absolves them from any crime or misuse of data undertaken by their issued members. Which is a strange definition of "trust"...that it can only be placed in an unknown third party who has no control nor responsibility over the site you're connecting to, and neither has any liability should your data wind up in the hands of ne'erdowells.

Which is why I self sign everything. Since it all boils down to whether or not you trust me, why should I spend $150 trying to trick you into thinking I've passed some rigorous test for "trust". All that matters is that the data users send me is encrypted, which it is. That $150 cuts into my already wafer thin margins, and it cuts even more when you think I'll have to get a different sert for each of my subdomains.

Which is where this bug is actually beneficial. It allows you to get signed once for all your domain names. No more paying exorbitant sums for the paltry 10,000 cycles of processor time it takes to generate a certificate, you can get www.yourdomain as well as yourdomain, yourmisspelleddomain, secure.yourdoman and mail.yourdomain certified for the price of one. Just sign the main site...and use the money to buy an escrow insurance policy.

Re:So? (0, Offtopic)

dasmegabyte (267018) | more than 11 years ago | (#4054102)

Sorry for all the misspellings in this post. I had to go to the bathroom since I started typing it.

Re:So? (5, Insightful)

mlong (160620) | more than 11 years ago | (#4054146)

Which is why I self sign everything. Since it all boils down to whether or not you trust me, why should I spend $150 trying to trick you into thinking I've passed some rigorous test for "trust". All that matters is that the data users send me is encrypted, which it is. That $150 cuts into my already wafer thin margins, and it cuts even more when you think I'll have to get a different sert for each of my subdomains.

Unfortunately most clients/browsers seem to go out of their way to discourage self-signed certificates with error messages that sound like "This certificate was self-signed. We don't know who the hell this person is. They could be a terrorist wanting to destroy your computer. If you click YES then they could format your harddrive and steal your credit card. By the way, even if you click YES we'll keep asking you everytime you visit this site unless they shell out some $ to Verisign or Thawte"

Re:So? (0)

Anonymous Coward | more than 11 years ago | (#4054180)

Agreed. It's marketing. To stop man in the middle and other attacks, you have to encrypt everything on both ends as early as possible -- not just after getting an OK from some third party.

To give customers a warm feeling, using 3rd party certificates can be used but if you stop there you're not doing your customers any favors.

The Race is on... (0, Redundant)

psychofox (92356) | more than 11 years ago | (#4054091)

This should be interesting:

An identical flaw in a piece of Microsoft and a piece of Open Source software...

I wonder which will be fixed first?

Re:The Race is on... (0)

Anonymous Coward | more than 11 years ago | (#4054149)

Since we already have a patch for Konq (we'll release it as soon as we're happy it doesn't introduce any secondary issues). I suspect we may be first.

Rich.
rich@kde.org

Opera? (1)

JayAndSilentBob (517888) | more than 11 years ago | (#4054092)

The article doesn't mention Opera. Anyone know if it is vulnerable> I certainly hope it isn't. Mozilla is marginally functional at best, and slow as molasses. Having Opera fail would mean there is NO Win32 browser that is safe to use. My bank's gonna be pissed if this gets out too far after their "Safe, Secure, Internet Banking" campaign. Oh worry me.....

Re:Opera? (2)

13Echo (209846) | more than 11 years ago | (#4054198)

Especially considering that a lot of online banks forcefully opt to make you use IE nowadays which is rediculous). I usually have to set Opera to act as IE5 or Mozilla 4.78 to get banking sites to allow me to log in. Makes it a pain for Linux users like myself, when the bank insists that you use an insecure browser.

Where is the logic in that?

And please don't take this as a flame against Windows and IExplore. Konq has the same problem, but it will be fixed like- immediately. No waiting on the MS code monkeys to do the job.

both? what? (1)

mlong (160620) | more than 11 years ago | (#4054108)

IE and Konqueror don't both to check the issuer

I guess you meant bother as in "I didn't bother to proofread my submission to Slashdot"

Re:both? what? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4054159)

Maybe he used a spellchecker and it went something like:

"bothr" doesn't exist, replace with "both"? Yes.

can bug yourself (1)

armchairlinguist (580975) | more than 11 years ago | (#4054117)

Considering how little attention most people pay to who signs their certificates even if they are warned about them, even people with browsers which perform proper checks on these things may be able to affect themselves. Lesson there: read the certificate warnings, I guess.

funny... (2, Interesting)

Ender Ryan (79406) | more than 11 years ago | (#4054124)

Just this weekend my fiancee was trying to pay her credit card bill online. However, the bank's site wouldn't allow any browser other than IE into their site to pay. So she used Opera and masqueraded as IE.

So, why on earth would a bank, or all companies, only allow what is probably the most insecure browser around to access the site? A bank for cryin out loud! A company that people trust to handle their hard earned cash, allows only IE to handle "secure" transactions on their site!

And don't get me started on payment processing companies partnering with MS to develop secure payment solutions... You'd think they'd partner with IBM or any other company with a decent track record of reasonable security.

Re:funny... (0)

Anonymous Coward | more than 11 years ago | (#4054212)

Banks are cheap cheap cheap. I've worked on baking projects, and on a few of them they contracted out for work and then refused to pay unless sued. All lawsuits settled in favor of the vendor I worked for btw....

Security is second to effency. If "it works" and customers don't have to change thier habits, the bank is happy.

There is an open bug report on the Mozilla site dealing with bank and financial institutions. If your bank does not work, add it to the list. Most times, a letter or email to the site operator is enough to fix the problem -- and in the meantime there might be a simple work around.

Grammar? (1)

derch (184205) | more than 11 years ago | (#4054125)

Okay, I am getting tired of seeing obvious typos and grammatical errors here. So many Slashdotters feel they are more intelligent than the average user and the unwashed masses, yet the editors and the submitters can't properly proof read stories. The editors can't even be bothered to edit a story after a major typo or when posters plainly point out an article is flat our wrong.

While I'm complaining about Slashdot, when did qualitative kharma replace quantitative kharma?

(If this post contains errors, feel free to point them out. I don't care about grammar in comments. My main concern is decent English in the article write ups.)

Re:Grammar? (0, Offtopic)

Winterblink (575267) | more than 11 years ago | (#4054171)

So many Slashdotters feel they are more intelligent than the average user and the unwashed masses, yet the editors and the submitters can't properly proof read stories.

Nice summary, right there. That should tell you one thing: many slashdotters are frickin' morons (as evidenced by the anti MS bias that's reached childish levels). I've noticed this lack of proofreading as well, it's become pretty bad as of late. How hard is it to spend an extra few seconds to preview a submission or comment before clicking Submit?

testing Moz 0.9.4 doesn't qualify as a test (4, Informative)

ChrisCampbell47 (181542) | more than 11 years ago | (#4054129)

Testing Moz 0.9.4 doesn't qualify as a test. Nor does slagging 0.9.4 bugs qualify as slagging Mozilla.

Somebody please turn this guy onto Mozilla 1.0!

Copywriting? (1)

shmigget (459421) | more than 11 years ago | (#4054130)

"IE and Konqueror don't both to check the issuer ...." C'mon, Taco, get another pair of eyes on your copy before you post it.

Incident response? Let the race begin! (2, Insightful)

simpleguy (5686) | more than 11 years ago | (#4054139)

Lets see how fast the KDE team fixes their software and how fast the Microsoft team fixes theirs. If its not already done that is.

Re:Incident response? Let the race begin! (2, Informative)

Chunky-Spinach (122007) | more than 11 years ago | (#4054194)

09:08

According to #kde on openproject.net, an uncommitted fix already exists for Konqueror. I'm sure more details will be posted when it has been tested and committed.

Interesting page (2, Interesting)

PacoSuarez (530275) | more than 11 years ago | (#4054160)

Take a look here [e-matters.de]. I specially like the last paragraph about "reimplementing" the bug.

Damn. (5, Funny)

FreeLinux (555387) | more than 11 years ago | (#4054176)

It's been 20 minutes now and KDE doesn't have the fix up yet.

This is just rediculous. Why are they taking so long? I don't have all day. ;)

Seriously though, with a long list of IE bugs still outstanding and Microsoft blaming Verisign, rather than fixing their software, I'll bet that KDE has a fix a month or more before MS.

I wonder... (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4054201)

...who stole code from the other guy?

I blame Verisign. (0, Flamebait)

h4mmer5tein (589994) | more than 11 years ago | (#4054210)

Hmmmm, Identical bugs in IE and Konquerer. No chance of their being shared code involved so it must be down to implementation. What determines the implementation of a protocol? The API, as defined by Verisign who developed it in the first place. My guess is that this is Verisigns stuff up in incorectly specifying the protocol for handling certificates. IE and Konquerer were both written in accordance with Verisigns protocol and so both end up with the same bug.

The Joke (1)

JamesKPolk (13313) | more than 11 years ago | (#4054214)

The only joke here is that so many people somehow trust these publicly held corporations more than they do the average person.

Let's remember that Verisign is the same company that plays dishonest tricks involving .com registrations.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...