IE and Konqueror Bug Makes SSL Insecure

← Back to Stories (view on slashdot.org)

IE and Konqueror Bug Makes SSL Insecure

Posted by CmdrTaco on Monday August 12, 2002 @02:41AM from the well-doesn't-that-suck dept.

Spad writes "The Register reports that IE and Konqueror both have a bug that allows anyone with a legit Verisign SSL certificate to issue a 'legit' certificate for a 3rd party site. IE and Konqueror don't both to check the issuer of this intermediate cert making SSL in both browsers something of a joke". Update by Hetz: if you're using KDE from CVS, the fix is inside or you can wait to next week for KDE 3.0.3 (which will have more fixes for KDE 3.0). Thanks to Waldo bastian for the blazing fast fix (95 minutes since it was reported).

4 of 443 comments (clear)

Min score:

Reason:

Sort:

Whoah... by Anonvmous+Coward · 2002-08-12 02:51 · Score: 0, Flamebait

... you mean Linux isn't 100% secure? How humbling!
Re:Security. by doofusclam · 2002-08-12 03:08 · Score: 1, Flamebait

And here I am on Slashdot, assuming that a topic which shows vulnerabilities in both Konqueror and IE would refrain from the IE bashing, or maybe bash both?

But no some dumbass comes out and says something stupid anyway. You gonna bash Konqueror now??
I blame Verisign. by h4mmer5tein · 2002-08-12 03:12 · Score: 0, Flamebait

Hmmmm, Identical bugs in IE and Konquerer. No chance of their being shared code involved so it must be down to implementation. What determines the implementation of a protocol? The API, as defined by Verisign who developed it in the first place. My guess is that this is Verisigns stuff up in incorectly specifying the protocol for handling certificates. IE and Konquerer were both written in accordance with Verisigns protocol and so both end up with the same bug.
Well I see /. says a "fix" is available now... by gamorck · 2002-08-12 06:53 · Score: 1, Flamebait

if you're using KDE from CVS, the fix is inside or you can wait to next week for KDE 3.0.3 (which will have more fixes for KDE 3.0). Thanks to Waldo bastian for the blazing fast fix (95 minutes since it was reported). I wonder when MS will release a fix.
Considering it takes an entire afternoon to compile KDE 3 I'm pretty sure that ZERO testing went into this so called fix. Wow what a great job by the Open Source community. Its bad when MS releases a Service Pack that BSODs your box, but its okay when some developer without half a brain uploads a fix that he obviously didnt even bother to test. The funny part is that its in CVS and that means about 0.00001 % of all KDE users are going to upgrade to it before there is an official release. Somebody please point out the easy to install hotfix binary so I dont have to redownload and recompile the entire KDE suite. Ooppps! I guess ya can't can you? I guess that means that for all intensive purposes neither MS or KDE have a widely available fix for this yet. Another victory for Open Source! J

--
I love idealists not because I am one, but because they make life bearable for pragmatists such as myself.