Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE and Konqueror Bug Makes SSL Insecure

Posted by CmdrTaco on from the well-doesn't-that-suck dept.

Spad writes "The Register reports that IE and Konqueror both have a bug that allows anyone with a legit Verisign SSL certificate to issue a 'legit' certificate for a 3rd party site. IE and Konqueror don't both to check the issuer of this intermediate cert making SSL in both browsers something of a joke". Update by Hetz: if you're using KDE from CVS, the fix is inside or you can wait to next week for KDE 3.0.3 (which will have more fixes for KDE 3.0). Thanks to Waldo bastian for the blazing fast fix (95 minutes since it was reported).

8 of 443 comments (clear)

  1. Sounds like a feature to me! by Nonesuch · · Score: 4, Funny
    I've been looking for a way to issue new "trusted" certificates for my web sites without having to pay big bucks to Verisign.

    Little did I know, the answer was right in front of me, in the form of the one Verisign certificate I shelled out the cash for :-)

    --

    I do not deploy Linux. Ever.
  2. Security. by saintlupus · · Score: 2, Funny

    making SSL in both browsers something of a joke.

    And here I was assuming that a fine MS product like Internet Explorer would embody the rock-solid security I've come to expect from the fellows in Redmond.

    For shame, for shame.

    --saint

  3. Not surprising by leviramsey · · Score: 2, Funny

    After all, Konqueror is clearly a clone of IE (think about it: explorer vs. conqueror, both are file-managers cum web browsers, etc.). This is just a demonstration of how well the KDE people can emulate MS.

  4. Re:Huh? by erpbridge · · Score: 2, Funny

    IE and Konqueror don't bother to check the issuer of this intermediate certificate, making SSL in both browsers something of a joke.

    Now, in L33T SP34K:
    1E 4ND KoNKw3R0r d0n'T BO+her tO cHeCK Th3 1$Su3r 0f +h15 iNTERmEdi@+E cEr+1PHiC4+3, M4K1nG 55l iN BO+h BR0w5ERS 5OMe+hIN9 0F @ JoK3.

    Anyone up for Swedish Chef'ing this?

  5. Damn. by FreeLinux · · Score: 5, Funny

    It's been 20 minutes now and KDE doesn't have the fix up yet.

    This is just rediculous. Why are they taking so long? I don't have all day. ;)

    Seriously though, with a long list of IE bugs still outstanding and Microsoft blaming Verisign, rather than fixing their software, I'll bet that KDE has a fix a month or more before MS.

  6. Re:Huh? by Anonymous Coward · · Score: 1, Funny

    Can I get an english translation of the poster's last sentence?

    All your kardz are belong to us.

  7. Re:SSL is insecure? by Anonymous Coward · · Score: 1, Funny

    Let's try not to be nit-picky for the sake of being nit-picky.

    Is "nit-picky" supposed to be hyphenated?

  8. Re:Start Timing... by Jucius+Maximus · · Score: 3, Funny
    "6 months: most MSIE users have the security update
    1 year: most Linux/BSD users get around to updating"

    You forgot:

    7 months: security people figure out that MSIE patch doesn't work, MSFT denies it.

    9 months: microsoft releases new patch

    18 months: IE users finally are patched