Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE and Konqueror Bug Makes SSL Insecure

Posted by CmdrTaco on from the well-doesn't-that-suck dept.

Spad writes "The Register reports that IE and Konqueror both have a bug that allows anyone with a legit Verisign SSL certificate to issue a 'legit' certificate for a 3rd party site. IE and Konqueror don't both to check the issuer of this intermediate cert making SSL in both browsers something of a joke". Update by Hetz: if you're using KDE from CVS, the fix is inside or you can wait to next week for KDE 3.0.3 (which will have more fixes for KDE 3.0). Thanks to Waldo bastian for the blazing fast fix (95 minutes since it was reported).

7 of 443 comments (clear)

  1. Secure SSL is a joke by Anonymous Coward · · Score: 0, Troll

    with names displayed in a font in which capital-I and lower-case-l look the same, do you accept this certificate from lnteI?

  2. How long have the blackhats known? by Jeppe+Salvesen · · Score: 1, Troll

    Really - wouldn't this sort of vulnerablility be possible to extract by listening intently to the https behavior?

    And is this OpenSSL-wide? Is that what Konqueror uses? And - how could this vulnerability exist in an open source library?

    --

    Stop the brainwash

  3. The real bug is... by stienman · · Score: 2, Troll

    The real insecurity is that they trust Verisign by default.

    -Adam

  4. Re:Whoah... by Anonvmous+Coward · · Score: 2, Troll

    "Konqueror != Linux, unlike IE which IS part of Windows (see Microsoft's own testimony in the antitrust trial)."

    It still comes with KDE. Now, to be fair, it's not as interconnected as say Outlook is to IE. However, SSL is a typical browsing mode that has to be secure. Just because the problem exists, it isn't anymore a vulnerability to Windows than Konqueror is to Linux.

    However, that is far from the point I was making. The point I was making was that security on any OS or browser is a myth. Switching to Linux doesn't make your computer more secure, it makes it more obscure.

    The only reason that hasn't harshly been demonstrated yet is that Linux users are few and far between compared to Windows or even Mac users. So Windows bears the most of the brunt of the effort put into taking it down. Trust me, if/when Linux has it's day, it'll have it's share of security related issues as well. I don't care if you disagree with me on that point or not. However, you're not doing yourself any harm by treating your computer as though it is vulnerable, and take sensible precautions.

  5. Re:testing Moz 0.9.4 doesn't qualify as a test by Shimbo · · Score: 0, Troll
    Testing Moz 0.9.4 doesn't qualify as a test.


    I see; and testing IE5 and IE5.5 is different how? I expected he tested the version that happened to be installed. You would only have to be running, say SuSe 7.3 (only one version behind the current) to have Mozilla 0.9.4 pre-installed.

  6. Re:Whoah... by Anonvmous+Coward · · Score: 0, Troll

    "Oh why don't you shut up you wuss!"

    What's the matter? Don't have a counterpoint so ya want me to shut up?

  7. Re:Well I see /. says a "fix" is available now... by talks_to_birds · · Score: 0, Troll
    M$ pimp..

    t_t_b

    --
    I'm on PJ's "enemies" list! Are you?