Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE and Konqueror Bug Makes SSL Insecure

Posted by CmdrTaco on from the well-doesn't-that-suck dept.

Spad writes "The Register reports that IE and Konqueror both have a bug that allows anyone with a legit Verisign SSL certificate to issue a 'legit' certificate for a 3rd party site. IE and Konqueror don't both to check the issuer of this intermediate cert making SSL in both browsers something of a joke". Update by Hetz: if you're using KDE from CVS, the fix is inside or you can wait to next week for KDE 3.0.3 (which will have more fixes for KDE 3.0). Thanks to Waldo bastian for the blazing fast fix (95 minutes since it was reported).

2 of 443 comments (clear)

  1. Re:Incident response? Let the race begin! by tshak · · Score: 4, Interesting

    But will the KDE team have regression tested their fix?

    --

    There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
  2. Re:So? by bwt · · Score: 5, Interesting

    Any of those companies can "go rogue" and start issuing free certs to anybody who asks, which one of them did a while back (then they succombed to the pressures and revoked all the rights, which was pretty crummy).

    A certificate authority really is nothing different than a 3rd party who says "that certificate is legit". As you point out, anybody can be a certificate authority. However, I should be able to control who I think is a TRUSTED certificate authority, and the application should assure that I'm only told that certificate authority X certified certificate Y if that did in fact happen. If a CA goes "rogue", you can (and should) simply remove it from CA's that you trust.

    This bug is much worse: IE appearently treats anyone certified by a CA as equivalent to that CA for certification of intermediates. Verisign certifies JohnDoe and then JohnDoe can transitively assert that Verisign certifies BadDude.

    That is a disaster, because it means that in order to trust Verisign, you have to trust **everybody** that Verisign has ever certified, which is impossible.

    Which is why I self sign everything. Since it all boils down to whether or not you trust me, why should I spend $150 trying to trick you into thinking I've passed some rigorous test for "trust".

    Thats why I self-sign everything as you too :-] Seriously, though , there is nothing wrong with self-signing so long as there is an independent way to validate that you are who you say you are. For example, I work in a military environment and our cert admins hand walk certificates from them to you. Browsers generally come with the big CA's certificates built-in, so it's much easier to validate that Verisign is Verisign.