IE and Konqueror Bug Makes SSL Insecure

Spad writes "The Register reports that IE and Konqueror both have a bug that allows anyone with a legit Verisign SSL certificate to issue a 'legit' certificate for a 3rd party site. IE and Konqueror don't both to check the issuer of this intermediate cert making SSL in both browsers something of a joke". Update by Hetz: if you're using KDE from CVS, the fix is inside or you can wait to next week for KDE 3.0.3 (which will have more fixes for KDE 3.0). Thanks to Waldo bastian for the blazing fast fix (95 minutes since it was reported).

Huh?

[shadow303]

Can I get an english translation of the poster's last sentence?

Re:Huh?

[erpbridge]

IE and Konqueror don't bother to check the issuer of this intermediate certificate, making SSL in both browsers something of a joke.

Now, in L33T SP34K:
1E 4ND KoNKw3R0r d0n'T BO+her tO cHeCK Th3 1$Su3r 0f +h15 iNTERmEdi@+E cEr+1PHiC4+3, M4K1nG 55l iN BO+h BR0w5ERS 5OMe+hIN9 0F @ JoK3.

Anyone up for Swedish Chef'ing this?

Re:Huh?

[sporty]

Let's say I go to verisign and get a certificate for encryption, which also garantees my identity. With in the cert, is my information, encryption information, where the cert came from and who issued the cert. I can use my cert to generate other certs using encryption software.

What this means, for people who have browsers which don't check where the cert came from, will not be warned that a certificate was granted from an untrusted source. Who are trusted sources? AOL, Thawte, Verisign.. etc.. Look in browser prefs for certificate authorities; the trusted circle of people to say you are who you are.

Why is this dangerous? Well, for one, you can claim you are whomever you wish, while looking like you are from this trusted circle. You look like you are from this trusted circle because no one claims otherwise. Your browser would usually bitch at you about certs made from non-authorities. But since your browser won't bitch about where your cert came from, and just looks at the authority..

So what if it isn't from a trusted circle? Using this in combination with dns spooofing, you could get people to give you information over ssl "secure connection" (rolling eyes) without the browser bitching at you that the cert you are looking at was made by verisign but not issued by verisign.

Re:Huh?

Can I get an english translation of the poster's last sentence?

All your kardz are belong to us.

Re:Huh?

[BlueUnderwear]

Still, with checking in place, I can just go to verisign, get me a cert.

You'll get an "end-entity" certificate earmarked for your own website (you have to prove you're in charge of the URL that you are getting a certificate for). The certificate won't work on other sites (because the browser compares the site's URL with the URL embedded in the certificate),...

Start producing certs

... nor can it be use to produce other certificates. Indeed, a non-buggy browser only accepts certificates with the "CA basic constraint" set to true for creating other certificates. And the CA won't hand out any such certificates, except to other reputable CA's.

Re:Huh?

[iabervon]

Of course, if you consider how many of the "trusted circle" have been indicted or are being investigated for fraud of one sort or another...

Re:Huh?

His request for the translation of the last sentence was NOT because he didn't read the article, fucktard. It was due to "bother" being mis-typed as "both":

"and Konqueror don't both to check

His post was simply a less direct method of the time-honored tradition of pointing out the horrendous spelling and editing to be found on a daily basis on Slashdot.

Re:Huh?

[xanadu-xtroot.com]

Anyone up for Swedish Chef'ing this?

IE und Kunqooerur dun't but tu check zee issooer ooff thees intermedeeete-a cert mekeeng SSL in but broosers sumetheeng ooff a juke-a.

Hey, you asked...

:-)

Re:Huh?

[RayBender]

Anyone up for Swedish Chef'ing this?

"IE ock Konqeuror bryr sig into om att kolla utgivaren av certifikatet. Det gör SSL i bägge browsers till något av ett skämt. Bork bork..."

Re:Huh?

[IXI]

> Can I get an english translation of the poster's last sentence?

Did he actually pass away writing that article?
Writing on slashdot seems to be really dangerous ;)

What about Mozilla

[SpanishInquisition]

I assume that if you don't mention it,Mozilla doesn't have this problem?

Re:What about Mozilla

[baldass_newbie]

From the article:
"Mozilla was not vulnerable, but I'm not sure if that's because it handled the situation properly, or is, ironically, somehow too buggy to be exploited."

I don't know if that's exactly a show of support. It goes into more depth if you'd bother to read the article.

Re:What about Mozilla

[CptNoSkill]

No, if (shock) you had read the article, you would have seen that Mozilla (.94) is working fine and does not suffer from this problem. It has yet (IIRC) to be tested on newer versions, but they should still be fine...

Re:What about Mozilla

[LoonXTall]

The version of this exploit referenced from Larholm's unpatched IE vulnerabilities does not work in Moz 1.0-RC3. It fails with "connection refused".

Re:What about Mozilla

[Frank+Grimes]

"Mozilla was not vulnerable, but I'm not sure if that's because it handled the situation properly, or is, ironically, somehow too buggy to be exploited." I don't know if that's exactly a show of support. It goes into more depth if you'd bother to read the article.

He was using an old version of Mozilla (0.94). Has anybody tried this with 1.0 or 1.1?

Re:What about Mozilla

[Jucius+Maximus]

"Has anybody tried this with 1.0 or 1.1?"

I've had Moz 1.1 complain about certificates where the cert company was inconsistent with the issuer.

Re:What about Mozilla

[Eightlines]

I'd suggest the author try a more current version of Moz. 0.9.4 has to be about 6 months old. For all we know the non-responsiveness of the browser may have been due to a bug in the browser that has since been fixed. (version 1.1a is available after all.)

Re:What about Mozilla

[kalidasa]

Well, I was trying to track down a bug yesterday in 0.9.6, which dates to December, so I'm guessing that 0.9.4 dates to September or October of 2001. Hardly an up-to-date test, especially as most of this stuff is fixed in 1.0. But the BugTraq posting said Moz 1.0 was invulnerable, no?

Re:What about Mozilla

[ReverendRyan]

I just tested Mozilla 1.0 running under Windows 2k, and it failed (displayed the page with no error). The thing I dont understand is how its much of a bug if you have to edit your hosts file. (Unless, of course, someone hacks your DNS server). Perhaps its been fixed in later versions of Mozilla?

Re:What about Mozilla

[ReverendRyan]

I just tested Mozilla 1.0 without the modified hosts file, and it sill fails (yes, i cleared my cache). Is there any browser in Windows that isnt vulnerable to this?

Re:What about Mozilla

[DavidTC]

It's not just hacking your DNS server, it means people can domain name hijack, which happens all the time, they can just stick a transparent proxy on your pipe, they can poison DNS caches, etc.

There are literally dozens of way to have someone's request for amazon.com to end up at evilhackers.com, and https:// is supposed to ensure that Verisign or some other company thinks that really is amazon.com

Re:What about Mozilla

[Old+Wolf]

I've always found Netscape (and therefore Mozilla I guess) to handle security properly. (The fact that the rest of it is so horrible to use, not withstanding). In fact the article says that Mozilla is not vulnerable.

I'm annoyed that this is reported as 'making SSL insecure' or making a 'joke' of it. It isn't. It is a failure of the browser to verify the certificate authority chain.

With OpenSSL you can generate a certificate request, and then use another certificate to sign it (or, in this case, submit it to Verisign so that they can sign it with their certificate). You can then use this new certificate to sign more, and so on. So the chain might look like:

[Verisign root certificate]
--->
[www.myserver.com]
--->
[www .fakeserver.com]

Obviously in this example www.fakeserver.com only belongs to the group of servers trusted by www.myserver.com and not to the group trusted by Verisign. The bug being reported is that IE and Konq mistakenly assign www.fakeserver.com to the group trusted by Verisign.

Now, what is the upshot of all this? What we have lost here, from the client's point of view, is the assurance that the server is who they say they are. Other aspects of SSL (secure encryption, inability for other parties to intercept connection, client validation) still work. A successful workaround would involve the person operating the client manually inspecting the certificate chain, and checking that *all* the sites on it are ones he/she trusts, not just the top one.

Re:What about Mozilla

[stevek]

Other aspects of SSL (secure encryption, inability for other parties to intercept connection, client validation) still work.

I don't think so.. If you can spoof a certificate, you can act as a "man in the middle". So, you get clients to send you all their data, you decrypt it, and re-encrypt it to send it to the real destination, and vice-versa.

So, you see all the unencrypted data, the client and server think they've got a private, secure connection, but all they've (each) got is a secure connection to you.

I.e. [Victim] <-> [Attacker] <-> [Bank].

instead of

[Victim] <-> [Bank], as expected.

Re:What about Mozilla

[welshsocialist]

As far as I can tell from The Register's article, Mozilla was not effected. However, in saying that, Opera released a new Windows build to address an SSL problem. I don't know if its the same one that affected MSIE & Konq.

Heh

[kraf]

Has Slashdot become the comment board for The Reg articles ?

Re:Heh

[casings]

the problem is this was on bugtraq way before it was on the register :(

Re:Heh

[CptNoSkill]

Yea, but never the interesting articles

Re:Heh

[taviso]

Thomas C Greene makes a living out of reading bugtraq and regurgitating it on the register, his articles consist of little else except the odd convention commentary.

my favourite comment:

Konqueror turned out quite vulnerable, as I mentioned above. Mozilla was not vulnerable, but I'm not sure if that's because it handled the situation properly, or is, ironically, somehow too buggy to be exploited.

this seems to be a pretty black & white flaw, the browser is either vulnerable or not vulnerable, how can it be "quite vulnerable" ?

and why on earth is he flaming mozilla for handling the situation correctly ?, another typical TCG comment - plenty of opinion, not much fact.

Re:Heh

[Hawke]

And if so, is this a bad thing?

Re:Heh

[jlv]

I read the whole article. His writing is atrocious. It doesnt't take much to be a "journalist" these days.

Re:Heh

[topham]

Because Mozilla didn't handle it properly. It didn't fall for the trap, but it didn't notify the user in a usable manner that there was a problem.

So, it just looks like a bug.

Re:Heh

[Captain+Pedantic]

It may surprise you but quite means "wholly, completely", or so quoth my dictionary.

Re:Heh

[Fjord]

Regardless of whether you could give a shit, when you try the demo of the exploit with mozilla it just looks like a bug (it says "Error Code:-8183"), so I'd say the reporter was pretty even handed when he said he didn't know if it was a bug or by design that mozilla wasn't vulnerable.

Re:Heh

[saider]

The Register in general is atrocious. It gives me that "Tabloid TV" feeling, so I tend to avoid it.

Re:Heh

[Fjord]

In addition, it's not clear that Mozilla doesn't fall for the trap because the error may be related to the fact that the site name and the issued-to name aren't the same. If www.amazon.com were DNS spoofed to 168.100.185.227 (www.thoughtcrime.com, where the example attack is), then it may work. I've modified my hosts file to check this, but now I can't connect to www.thoughtcrime.com at all.

Re:Heh

[Fjord]

IE 5.0 and 5.5 don't check anything at all whereas IE6 checks if certain fields are present in the certificate. Since Verisign rarely includes the fields, it means you can exploit IE5 5.5 and 6 with their certs. Since Thawte includes the fields, you can only exploit IE5 and 5.5.

Thus IE5 and 5.5 are quite vulnerable because even after all the certs out there expire and Verisign puts in the fields needed to get IE6 to check, IE5 and 5.5 are still vulnerable.

Re:Heh

[inkfox]

Has Slashdot become the comment board for The Reg articles ?

Hey - The Register is just a tabloid. Slashdot is a well-researched news site! Also, I have a flying car.

Sounds like a feature to me!

[Nonesuch]

I've been looking for a way to issue new "trusted" certificates for my web sites without having to pay big bucks to Verisign.

Little did I know, the answer was right in front of me, in the form of the one Verisign certificate I shelled out the cash for :-)

Re:Sounds like a feature to me!

[soup]

Well, it certainly enforces the "IE" only websites! Perhaps too much effort in Konqueror went into IE compatibility by duplicating IE's flaws?

Security.

[saintlupus]

making SSL in both browsers something of a joke.

And here I was assuming that a fine MS product like Internet Explorer would embody the rock-solid security I've come to expect from the fellows in Redmond.

For shame, for shame.

--saint

Re:Security.

I know.. At least those dirty GNU hippies got it right.

What? You say konqueror's affected?

Re:Security.

[doofusclam]

And here I am on Slashdot, assuming that a topic which shows vulnerabilities in both Konqueror and IE would refrain from the IE bashing, or maybe bash both?

But no some dumbass comes out and says something stupid anyway. You gonna bash Konqueror now??

Re:Security.

[soloport]

Er, what Konqueror problem?

The problem's been fixed in Konqueror. Can you say the same for IE V5, 5.5 and 6?

Noooooooo...

Re:Security.

[Narchie+Troll]

Yes, I believe he called it a "piece of shit" on another part of this thread. Read before you flame.

Re:Addressed in the article

[ianscot]

Konqueror turned out quite vulnerable, as I mentioned above. Mozilla was not vulnerable, but I'm not sure if that's because it handled the situation properly, or is, ironically, somehow too buggy to be exploited.

The author checked.

Re:And...

[spencerogden]

How exactly is mozilla the core of konq?

SSL is insecure?

[dave-fu]

Funny, I'd say the implementations are flawed and they're insecure. If the adhered to the RFC as it was written (rather than glossing over one little step), millions of users wouldn't be in a bind here.
That said, calling SSL insecure is about as sane as calling email insecure because flawed implementations are plagued with problems or http insecure because some web servers choke on archaic flags and such.
The moral of the story? Read your RFCs and then re-read them with a friend or two to make sure you read them right the first time.

Re:SSL is insecure?

[kasparov]

Since the title of the article is "IE and Konqueror bug makes SSL Insecure" and the article body says "IE and Konqueror don't both to check [sic] the issuer of this intermediate cert making SSL in both browsers something of a joke," then I would venture to say that they were not calling SSL in itself insecure. Let's try not to be nit-picky for the sake of being nit-picky.

Re:SSL is insecure?

[Valar]

Ask yourself, how is that insightful? The author clearly intended that the SSL functionality in the browsers is a joke. Not SSL itself. In fact, it says that both in the story and the comment. Do not be tempted onto the moderation bandwagon!

Re:SSL is insecure?

[timcuth]

I don't know the answer to whether "SSL in itself" is insecure, but as an Oracle DBA, I just received a security warning from Oracle that states "There are remotely exploitable buffer overflow vulnerabilities in OpenSSL versions prior to 0.9.6e". This sounds to me like it is SSL itself that has the problem (if, indeed, this is the same problem).

Here are Oracle's reference links:
http://www.openssl.org/news/secadv_2002073 0.txt
http://www.cert.org/advisories/CA-2002-23.h tml

Tim

Re:SSL is insecure?

[kasparov]

No, it is the implementation of SSL in OpenSSL versions prior to 0.9.6e. This is not a failure of the SSL protocol, but a failure of an implementation of that protocol.

The Win32 API is fundamentally flawed. SSL is not (as far as we know so far).

Re:SSL is insecure?

[timcuth]

Okay, that is cool with me.

Re:SSL is insecure?

[4of12]

Read your RFCs and then re-read them with a friend or two to make sure you read them right the first time.

I'd say another thing is to give some glory to people that write regression tests for RFC compliance for various applications.

Even all the stupid sounding things that people think "never" happen in real life. Those things that happen only one out of 1e7 times are the first things that the cracking crowd applies their crowbars to.

Microsoft, especially, could do with some of that kind of testing given their huge R&D budgets. It might help diminish the public black eyes they keep getting with respect to standards compliance and security vulnerabilities. Getting the mindset of being compliant to a standard rather than "we are the standard" might help them to write more watertight APIs.

Re:SSL is insecure?

Let's try not to be nit-picky for the sake of being nit-picky.

Is "nit-picky" supposed to be hyphenated?

Re:SSL is insecure?

[BitHive]

Email and HTTP *are* both insecure, even when implemented to-spec. They transmit in plaintext, making them subject to eavesdropping attacks. That's part of the reason SSL is so important, as it is commonly used to secure inherently insecure HTTP connections.

Re:SSL is insecure?

[timcuth]

Sorry, but as a full-time Oracle DBA running two different Oracle DBMS's (relational and OLAP), I have enough Oracle stuff to worry about without trying to become a security expert, too. I *have* to rely on Oracle to spoon feed me on the low level security issues.

Tim

Re:SSL is insecure?

[kiwimate]

According to Merriam-Webster, the answer is no.

So why not save the confusion and use pedant instead? Then everyone wins!

Not surprising

[leviramsey]

After all, Konqueror is clearly a clone of IE (think about it: explorer vs. conqueror, both are file-managers cum web browsers, etc.). This is just a demonstration of how well the KDE people can emulate MS.

How long have the blackhats known?

[Jeppe+Salvesen]

Really - wouldn't this sort of vulnerablility be possible to extract by listening intently to the https behavior?

And is this OpenSSL-wide? Is that what Konqueror uses? And - how could this vulnerability exist in an open source library?

Re:How long have the blackhats known?

[DaleP]

Its not a problem in OpenSSL, the problem is in the way Konquerer uses it (or fails to in this case).

The Joke had already been made...

[marko123]

When companies set themselves up to charge hundreds of dollars for strings of unique data called Certificates. It's frigging disgusting. I'd trust a private key long before I bought a certificate by companies who slam, and from companies who sold my identity to spammers.

Hang on, which one was which?

Re:The Joke had already been made...

[casings]

the problem is the client. If you have a private key and a browser comes up with an erroneous key, what is stopping someone from doing a mim attack on you because the client can't tell the difference between a faked key and the one that he has to push yes to upon entering the damn site?

unfortunately these companies are trusted, and should be. I don't like verisign anymore than the next person but who else is gonna do it, M$?

Re:The Joke had already been made...

[sphealey]

the problem is the client. If you have a private key and a browser comes up with an erroneous key, what is stopping someone from doing a mim attack on you because the client can't tell the difference between a faked key and the one that he has to push yes to upon entering the damn site?

Have you ever known anyone (except perhaps Bruce Sterling) to visit a site to get a download or submit an order, get a "certificate not known" message, and do anything except click "Proceed"? Joe and Jane sysadmin, much less Richard and Sally end user, have no idea how certificates work and what answers should be given to what dialogue.

Totally broken protocol from the end users' perspective.

sPh

Re:The Joke had already been made...

[casings]

precisely the problem, he would just be adding to their frustration by making their clicking proceed commonplace. :(

Re:The Joke had already been made...

[iamacat]

Well, I look at how it's not valid. If it's just expired recently or it's for ssl.bankamerica.com rather than www.bankamerica.com I will let it go. If it's not signed by CA or is for bankam3r1ca.com, I'll close the window right away, in case I have any ActiveX controls signed by the real site that talk to the server and perhaps can be spoofed to do interesting things. Hmm.. What were the websites where you order stuff again?

Re:The Joke had already been made...

[expro]

unfortunately these companies are trusted, and should be. I don't like verisign anymore than the next person but who else is gonna do it, M$?

Do you think VeriSign is going to survive any more than other companies in similar positions against Microsoft initiatives? Most users trust Microsoft more than VeriSign, anyway.

A bank would be the natural institution of trust, but that would imply associating financial liability with use of the signature, which Microsoft has always been careful to avoid.

Re:The Joke had already been made...

[casings]

Point noted, and i agree but this area isn't m$'s schtick just yet.

I won't be surprised if we do see this in the not-too-distant future, the combination of some CA with mikey in an effort to make passport the be-all-end-all solution for eCommerce security and reliance.

Is it strange that m$ still uses verisign, instead of the obvious, making IE trust Mikey signed sigs?

How about this, buy Win2k Advanced Corporate Website Server Secure Edition, get free 128bit ssl signed cert.

Re:The Joke had already been made...

[numark]

When companies set themselves up to charge hundreds of dollars for strings of unique data called Certificates. It's frigging disgusting.

There is a reason that they charge so much for certificates these days. Not only does a certificate allow you to use encrypted communications, but it also assures the end-user that a web site is who they claim to be (at least, that's how it's supposed to work).

So, to limit their liability, certificate authorities have to have insurance in case some person sues them for issuing an invalid certificate. Insurance costs money, and that cost is passed on to the certificate buyer.

On my opinion it's not a bug - it's a feature!

[WetCat]

IMHO:
Finally get rid of that "Certificate check" stuff!

Reality check: people do not use certificates to check recipient validity. They use SSL to cover traffic in transit. Man in the middle attack is much more remote possibility than having unencripted traffic flow.

People that didn't check certificates are getting what they ought to.

Spoof?

[Density_Altitude]

After associating Benham's test-page IP with www.amazon.com in my hosts file I found that in Konqueror, following a link to https://www.amazon.com brought me immediately to the 'you've been hacked' page
It seems normal to me that after associationg the IP with the amazon domain name in your hosts file, the malicious IP gets precedence over the autoritative association from the DNS.
So he dosen't get to the real amazon.com, obviously. If this attack requires a domain spoof it's quite unlikely to happen IMHO.

Re:Spoof?

[gmack]

Don't be so sure about that. For the longest time windows allowed javascript to edit c:\windows\hosts (has the same affect)

Also the entire *point* of SSL certs is to make this sort of thing impossible. It should have popped up a warning telling the user that it wasn't the real certificate.

Re:Spoof?

[gmack]

I disagree they are easier to pull off than people think. DNS buffer overflows have been rather common in the past and for the longest time IE allowed hostile pages to overwrite c:\windows\hosts (Not sure if they have even fixed this issue)

Re:Spoof?

[roca]

> Man-in-the-middle attacks are very complex and
> not likely to be pulled off "in the wild".

No. MITM attacks are very easy to pull off with the right tools. You can easily take control of any TCP connection made by any other machine on the same Ethernet. Even if the network is fully switched you can use ARP poisoning to get around that.

Of course, if you manage to take control of a DNS server then you can easily do MITM attacks against many machines. Heck, do you trust the employees of your ISP with your banking information?

Re:Spoof?

[MikeBenham]

A lot of people have been saying that, so I wrote a tool (sslsniff) to demonstrate the problem in a more "real-world" setting. It performs undetected hijacking/sniffing of IE SSL sessions, even on a switched network. sslsniff: http://www.thoughtcrime.org/ie.html

Re:Spoof?

[ceswiedler]

By the way, I've performed full man-in-the-middle with a real bank
involved and myselft as victim. It's easy and works perfectly, so I've put
a brief description and screenshots at http://arch.ipsec.pl/inteligo.html
Details on programs' setup and fake certificate generation are omitted
not to provide script-kiddies with a ready recipe.

Actually, you can use Mike's https://www.thoughtcrime.org/ as demo
site but you first need to DNS spoof your browser into thinking
that www.amazon.com has address of 66.93.78.63, which is easy using
dnsspoof from dsniff for example.

From the SecurityFocus thread referenced in another post.

Re:Spoof?

[Jucius+Maximus]

"It seems normal to me that after associationg the IP with the amazon domain name in your hosts file, the malicious IP gets precedence over the autoritative association from the DNS. So he dosen't get to the real amazon.com, obviously. If this attack requires a domain spoof it's quite unlikely to happen IMHO."

I expect that this bug could exploited in a deadly manner with some onmouseover tricks. The unwary user could be lulled into a false sense of security by seeing amazon.com (placed by javascript) in the status bar when in fact they are being sent to some other IP address, whose secure certificate is spoofed by exploiting this vulnerability.

Re:Spoof?

[steve_l]

Do you have to take over a DNS server?

Why attack DNS when DHCP is there for anyone else to play with.

I wonder what would happen if I set my home cable modem based server to act as a DHCP server to other systems on the shared cable segment, re-issuing their existing IP addresses and telling them to talk to me for DNS.

Start Timing...

[Vengie]

Before the M$ vs Everyone war starts...how about we have a fair and simple timing contest.....where does this get fixed first? ;)

Re:Start Timing...

[Winterblink]

Wow, a geek race. This should be interesting. Not. Who the hell cares which group fixes the bug the fastest, as long as both fix it in a timely fashion (ie. as fast as possible)?

Re:Start Timing...

[g()()ber]

My Prediction:

1 day: Konqueror is fixed in CVS
1 week: most KDE developers get the fixed version
2 weeks: unmasked in Gentoo, in Debian unstable, RPMs released
3 weeks: MS releases a patch in a security update
4 weeks: in Debian testing, RPMs that work are released
1 months: many MSIE users have the security update
6 months: most MSIE users have the security update
1 year: most Linux/BSD users get around to updating

Re:Start Timing...

[kalidasa]

Before the M$ vs Everyone war starts...how about we have a fair and simple timing contest.....where does this get fixed first? ;)

Since Mozilla doesn't have a problem (and ignore the Reg author's comments about Mozilla, the version he called too buggy is almost a year old (0.9.4)), I'd say Mozilla won.

Re:Start Timing...

[tshak]

OSS will always win. This is because there is no testing policy. If MS releases a Windows Update that crashes computers they look horrible. If you download a Beta or Alpha patch and it breaks something, you just shrug and go back to the earlier version. Personally, we just have to wait to see who releases a fully tested (regression, functional, etc.) patch first. This is much harder to quantify.

Re:Start Timing...

[Jucius+Maximus]

"6 months: most MSIE users have the security update
1 year: most Linux/BSD users get around to updating"

You forgot:

7 months: security people figure out that MSIE patch doesn't work, MSFT denies it.

9 months: microsoft releases new patch

18 months: IE users finally are patched

Re:Start Timing...

[Vengie]

"timely fashion" Ok, microsoft troll (as evident by your previous posts) my poiny being, , THE CHANCE OF GETTING A PATCH FROM M$ in a _TIMLY FASHION_ is slim to nil. (Or perhaps the world's first negative probability) This is one of the largest flaws with m$ software -- full dependance on redmond for patches -- at their speed. *sigh*

Re:Start Timing...

[Vengie]

Point In Case -- Read above 95 minutes and we have a fix for the Konquerer side
Microsoft? Still waiting.
-nuff said.

Re:Start Timing...

[Winterblink]

Microsoft Troll? You're making an assumption, and that is that I don't run or haven't run a non-Microsoft operating system. Because I run both, that means I've got experience with the good and the bad of both, and can speak to each of them.

Judge me on the merits of my previous posts if you will, but don't call me a Microsoft Troll because I won't stand up and get in line with either group of closed minded people.

Re:Start Timing...

[Vengie]

I'm currently writing this from Mozilla on a Windows XP system. At home, I have an imac, a little box running linux and a few (legal) xp machines. Your post was exceedingly caustic -- i think you have blindly followed microsoft in this case. It isn't a geek war -- the oss side will release a patch far sooner, and that is the entire point. M$ is notoriously awful about patching anything....and they sneak lovely eula additions in. IMHO, one of the weakest parts about microsoft software.....(their initial buggy nature aside)

Re:Start Timing...

[Winterblink]

Off-topicness aside...

If my response came across as caustic, I apologize, however it was meant as a statement of fact. And it's not necessary to say I blindly follow anyone (a scathing statement) in any case. I'll agree their patches might not always show up an hour and a half after a bug is found, and I'll concede that their software isn't the least buggy on the market. The issue I have is with the attitudes of those involved. Both sides acknowledge the problem and that's fine, but only one side releases a fix with a childish "nah-nah-nah, I fixed mine first!" And you say there's no geek war?

EULA arguments are a different thing entirely, more off-topic than this discussion. :)

Re:Start Timing...

[kasperd]

6 months: most MSIE users have the security update
1 year: most Linux/BSD users get around to updating

I can only think of one reason why most Linux users would wait that long: Very few of them is actually using Konqueror to connect to SSL sites. So those users have no need to upgrade and first get the fix when they are upgrading their complete distro anyway.

There is no reason to believe the avereage user of SSL under IE should upgrade faster than the avereage user of SSL under Konqueror.

Re:Start Timing...

[Vengie]

I think its a more the issue that the oss side has the ABILITY to fix it themselves -- and that the ms side is at the whimsey of redmond to release a patch =)

So?

[dasmegabyte]

The certificate issuer is not exactly a secure concept anyway. The whole idea of "trusted providers" being a list of folks engineered by the browser's authors is just asking for trouble. Any of those companies can "go rogue" and start issuing free certs to anybody who asks, which one of them did a while back (then they succombed to the pressures and revoked all the rights, which was pretty crummy).

Besides, the contracts of all cert providers totally absolves them from any crime or misuse of data undertaken by their issued members. Which is a strange definition of "trust"...that it can only be placed in an unknown third party who has no control nor responsibility over the site you're connecting to, and neither has any liability should your data wind up in the hands of ne'erdowells.

Which is why I self sign everything. Since it all boils down to whether or not you trust me, why should I spend $150 trying to trick you into thinking I've passed some rigorous test for "trust". All that matters is that the data users send me is encrypted, which it is. That $150 cuts into my already wafer thin margins, and it cuts even more when you think I'll have to get a different sert for each of my subdomains.

Which is where this bug is actually beneficial. It allows you to get signed once for all your domain names. No more paying exorbitant sums for the paltry 10,000 cycles of processor time it takes to generate a certificate, you can get www.yourdomain as well as yourdomain, yourmisspelleddomain, secure.yourdoman and mail.yourdomain certified for the price of one. Just sign the main site...and use the money to buy an escrow insurance policy.

Re:So?

[mlong]

Which is why I self sign everything. Since it all boils down to whether or not you trust me, why should I spend $150 trying to trick you into thinking I've passed some rigorous test for "trust". All that matters is that the data users send me is encrypted, which it is. That $150 cuts into my already wafer thin margins, and it cuts even more when you think I'll have to get a different sert for each of my subdomains.

Unfortunately most clients/browsers seem to go out of their way to discourage self-signed certificates with error messages that sound like "This certificate was self-signed. We don't know who the hell this person is. They could be a terrorist wanting to destroy your computer. If you click YES then they could format your harddrive and steal your credit card. By the way, even if you click YES we'll keep asking you everytime you visit this site unless they shell out some $ to Verisign or Thawte"

Re:So?

[realnowhereman]

Isn't this exactly the same as when SSH first connects to a host you get an unknown fingerprint message (unless you've already copied the key of course)?

Personally I always say yes. I just accept that the likelyhood of me being spoofed at exactly that moment is very small. Given that that is true that host becomes "safe" from then on. Could the same principle not be applied to these self-signing web hosts.

Most of the secure sites I use get used again and again so this would work perfectly. And for the truely paranoid what about when you register for a site you get sent the site public key and can just start encrypting away.

Re:So?

>Which is why I self sign everything.

Cool. So how do the end users tell the difference between your self signed certificate and the one I create to look exactly like it?

Re:So?

[mlong]

Isn't this exactly the same as when SSH first connects to a host you get an unknown fingerprint message (unless you've already copied the key of course)?

Personally I always say yes. I just accept that the likelyhood of me being spoofed at exactly that moment is very small. Given that that is true that host becomes "safe" from then on. Could the same principle not be applied to these self-signing web hosts.

Most of the secure sites I use get used again and again so this would work perfectly. And for the truely paranoid what about when you register for a site you get sent the site public key and can just start encrypting away.

For websites you can usually turn it off permanently (if you use IE) but Outlook won't let you do the same for email. My main issue about it is A) its annoying as hell and B) it puts doubt into customer's minds when there shouldn't be. It ought to just say "Do you trust this person?" and if you say YES, that person stays trusted forever. Microsoft had no problem doing that for ActiveX yet they can't do the same for SSL certs.

Re:So?

[mpe]

Unfortunately most clients/browsers seem to go out of their way to discourage self-signed certificates with error messages that sound like "This certificate was self-signed. We don't know who the hell this person is.

Thing is that having an "official" certificate dosn't prove much anyway. Other than that someone had given money to Verisign. I'm sure people here can say exactly what checks Verisign carries out.
In strict terms this probably isn't even a bug, since it's just following a "web of trust" approach.

Re:So?

[mpe]

For websites you can usually turn it off permanently (if you use IE) but Outlook won't let you do the same for email.

Other software which understands IMAP over SSL can handle storing the certificate. Maybe it's deliberate to dissuade people from using non Microsoft server software.

Re:So?

[topham]

While I agree with you as to the actual effectiveness I don't think self-signing is actually a solution.

I know that Verisign is less than absolutly trust worthy. I also know they take atleast basic steps to ensure they issue a certificate to the correct entity. (Yes, they have made mistakes on that in the past, re: Microsoft).

I don't on the other hand, have any reason to believe you aren't a fly-by-night huckster waiting to receive a dozen (or thousand...) credit card numbers...

I want some level of assurance that you are indeed traceable. Even if, to some degree, its a false hope. Even if you pull off a scam on Verisign (or any other registrar) I know that there is a much larger trail to trace back to you and that it is more likely to get a good response from law enforcement authorities and/or financial institutions.

On the other hand, I've never concerned myself much with running programs which were self-signed. I mean, heck, I've run unknown programs on my computer since 1988, whats a few 'self-signed' programs...

Re:So?

[terrymr]

As far as verisign is concerned how trustworthy you are depends on how much money you want to give them. By means of a sliding scale of fees (bribes) you can get anything from a personal certificate right through to a CA certificate.

Proof of the lack of checking being done is that fact that not too long ago somebody managed to by certificates that proved they were Microsoft when they weren't.

Re:So?

[Fjord]

The reason this is a problem is because certification is there to prevent man-in-the-middle attacks. If I can issue a cert that IE and Konq believe are for your site, then I can sit between your site and your clients and listen in on the conversation by taking what you say, intercepting it, reencoding it to my key and then taking what the clients say, intecepting it and reencoding it to your key.

Self signing is a terribly bad idea because a man in the middle can always intercept your authority key and replace it with his own. This can happen too when you used standard keys, like Verisign, and download your browser on the web but it is less likely and you can check Versign's local public key in many ways to reduce the change you are being spoofed to near 0. Every encryption system in existance involves an inital trusted event, but I don't want to have to have an initial trusted even with each site I want to do business with.

Still, for simple crap (e.g. anonymous message boards), self signig is probably ok by me. I just wouldn't bank or purchase with it.

Re:So?

[bwt]

Any of those companies can "go rogue" and start issuing free certs to anybody who asks, which one of them did a while back (then they succombed to the pressures and revoked all the rights, which was pretty crummy).

A certificate authority really is nothing different than a 3rd party who says "that certificate is legit". As you point out, anybody can be a certificate authority. However, I should be able to control who I think is a TRUSTED certificate authority, and the application should assure that I'm only told that certificate authority X certified certificate Y if that did in fact happen. If a CA goes "rogue", you can (and should) simply remove it from CA's that you trust.

This bug is much worse: IE appearently treats anyone certified by a CA as equivalent to that CA for certification of intermediates. Verisign certifies JohnDoe and then JohnDoe can transitively assert that Verisign certifies BadDude.

That is a disaster, because it means that in order to trust Verisign, you have to trust **everybody** that Verisign has ever certified, which is impossible.

Which is why I self sign everything. Since it all boils down to whether or not you trust me, why should I spend $150 trying to trick you into thinking I've passed some rigorous test for "trust".

Thats why I self-sign everything as you too :-] Seriously, though , there is nothing wrong with self-signing so long as there is an independent way to validate that you are who you say you are. For example, I work in a military environment and our cert admins hand walk certificates from them to you. Browsers generally come with the big CA's certificates built-in, so it's much easier to validate that Verisign is Verisign.

Re:So?

[Beryllium+Sphere(tm)]

>The whole idea of "trusted providers" being a list of folks engineered by the browser's authors is just asking for trouble

Indeed. There's another problem, too.

In a back issue of Crypt-o-gram Bruce Schneier pointed out that the list of trusted signers is editable. It's not hard-coded into the browser but instead can be added to at runtime. Convenient for corporations running their own PKI, but otherwise just a point of attack.

Other fun point -- he estimated the cost of compromising Verisign's root key. Being a security professional he didn't go tunnel-vision on cracking the crypto or compromising the signing machine. He pointed out that for a few tens of millions you could do a leveraged buyout of the whole company.

Re:So?

[dasmegabyte]

Well, because you'd need to get your cert on my machine to get that response. If you've got that kind of power, you've got the data anyway.

What did the third party prevent in this attack? Nothing.

If you want to put up WebsIum.net, and put up a cert, you're welcome to. But it's more likely that I'll be able to track down your copyright theft via your registrar than via Thawte.

Re:So?

[mlong]

Create a certificate solely for the purposes of signing and add that to your certificate store as a trusted CA on the client machines. Then create other certificates for the various web sites in your organization and sign them with the signing certificate. You won't be prompted about it again.

Yep that did it and works like a charm. I do appreciate the advice. Though I do still wish there was a simple "Don't ask my anymore" option. For example, my favorite email client Mulberry has this. It says something to the effect that the certificate is self-issued and may not be trustworthy, and you can either choose to allow for that session or allow forever. You don't have to worry about downloading an authority certificate, etc.

Re:So?

[slamb]

For websites you can usually turn it off permanently (if you use IE) but Outlook won't let you do the same for email.

Outlook uses the same certificate store as Internet Explorer. Save your ca.crt file somewhere in your webserver's document root. Serve it out with a application/x-x509-ca-cert MIME type. Internet Explorer will pop up a dialog to allow you to examine and confirm it. Afterward, Outlook will no longer prompt.

So just include "go to this webpage and accept" to your mail setup instructions.

Re:So?

[mlong]

Other software which understands IMAP over SSL can handle storing the certificate. Maybe it's deliberate to dissuade people from using non Microsoft server software.

Apparently if you create your own authority certificate, sign all your certificates with it, put it on the website, let the client download it and install it with IE certificate manager, then Outlook will stop complaining. This is the only way...not even downloading the certificate into IE will stop it. Apparently it requires a trusted root. Of course if you use Verisign/Thawte monopoly, it gladly accepts it. I still like Mulberry where you hit one button to tell it to use it anyway and stop bugging you. I have to plug it somewhere as it is not bloated like Eudora and isn't plagued with security holes or restrict options like Outlook, and it runs under Mac, Windows, and Linux. www.cyrusoft.com

Re:So?

[Patersmith]

That's not the point of SSL certificates. When you buy a certificate from Verisign, they are not vouching for your character.

It's like a "secure" ID for web sites. You take the certificate from the abcxyz.com and ask Verisign, "is this the right cert for abcxyz.com?" Verisign says, "yup, looks straight to me."

Nothing more, nothing less.

Re:So?

[EJB]

It is _very_ clearly a bug. The X509 standard includes flags that indicate whether the signer of a certificate allows that the certificate to be used to sign again, and up to what level of steps.

It isn't a technical restriction. It's a matter of standards compliance. MSIE claims to implement SSL, and SSL requires X509 conformance. Since MSIE isn't conformant, it erroneously claims to implement SSL. And I'd say you can call that a bug.

Opera?

[JayAndSilentBob]

The article doesn't mention Opera. Anyone know if it is vulnerable> I certainly hope it isn't. Mozilla is marginally functional at best, and slow as molasses. Having Opera fail would mean there is NO Win32 browser that is safe to use. My bank's gonna be pissed if this gets out too far after their "Safe, Secure, Internet Banking" campaign. Oh worry me.....

Re:Opera?

[13Echo]

Especially considering that a lot of online banks forcefully opt to make you use IE nowadays which is rediculous). I usually have to set Opera to act as IE5 or Mozilla 4.78 to get banking sites to allow me to log in. Makes it a pain for Linux users like myself, when the bank insists that you use an insecure browser.

Where is the logic in that?

And please don't take this as a flame against Windows and IExplore. Konq has the same problem, but it will be fixed like- immediately. No waiting on the MS code monkeys to do the job.

Re:Opera?

[bmfs]

Just tried it (opera 6.02/Linux) and it complains... asks whether you want to accept this dodgy certificate and gives you lots of info. So no, it's not vulnerable.

Re:Opera?

[Ninja+Programmer]

Why do the fricking moderators miss things like this?? Why does this get a score of 1?!?! Why is this not like a 3 or 4 "Informative"?

both? what?

[mlong]

IE and Konqueror don't both to check the issuer

I guess you meant bother as in "I didn't bother to proofread my submission to Slashdot"

Re:both? what?

[mlong]

Maybe he used a spellchecker and it went something like:

"bothr" doesn't exist, replace with "both"? Yes.

I myself hardly ever use a spellchecker for exactly this reason. A word could be spelt right but be the entirely wrong word. I suspect it happens quite frequently.

can bug yourself

[armchairlinguist]

Considering how little attention most people pay to who signs their certificates even if they are warned about them, even people with browsers which perform proper checks on these things may be able to affect themselves. Lesson there: read the certificate warnings, I guess.

funny...

[Ender+Ryan]

Just this weekend my fiancee was trying to pay her credit card bill online. However, the bank's site wouldn't allow any browser other than IE into their site to pay. So she used Opera and masqueraded as IE.

So, why on earth would a bank, or all companies, only allow what is probably the most insecure browser around to access the site? A bank for cryin out loud! A company that people trust to handle their hard earned cash, allows only IE to handle "secure" transactions on their site!

And don't get me started on payment processing companies partnering with MS to develop secure payment solutions... You'd think they'd partner with IBM or any other company with a decent track record of reasonable security.

Re:funny...

[mkarpinski]

It gets worse...

My wife is an HR director for an non-profit agency. They have just made the conversion to an entirely web-based payroll and benefits system. This system will only work on IE and with Windows. We had to spend $200 on Virtual PC for the Mac so that she could do work at home.

No only does this contain everyone's payroll information but also medical information, what benefits they have signed up for, bank routing information, etc...

I'm glad she is looking for another job.

Re:funny...

[vicviper]

Probably because the bank is using a 3rd party to perform the encryption and send the transaction to their database. Why require IE? Why not? Who's going to complain?

Re:funny...

[sholden]

Which part of "at home" do you not understand?

Re:funny...

[pi+radians]

Well, my employer has the exact opposite at his bank. He tried to login with IE and the banks website said that they do not trust his browser and suggested that he use Netscape 4.7

Well, since he was running OS X I told him to try it with Mozilla and alas, it worked flawlessly.

We both find it refreshing that at least one online banking system sees IE for the POS that it is.

Re:funny...

[1010011010]

Who's going to complain?

Everyone who doesn't use IE, and a lot of people who do.

Re:funny...

[ceejayoz]

People who do won't know about it, and people who don't are a pretty small minority. I doubt the bank cares.

Re:funny...

[ceejayoz]

What bank is this? Banning 95% of your customers from your site sounds like the kind of business plan a dot.com business would promote...

Re:funny...

[mborland]

That is funny...it might be because they check both the browser -and- the OS. For example, perhaps they let in IE 4+ for all Windows systems, but didn't factor IE in for Macintosh...

I work at a bank, and we don't do a lot of testing for the Mac (not my choice, just the way it goes) so it's possible that, as in our case, the browser requirements just don't make as much sense for Mac because they haven't been thoroughly thought out.

Another difference might be if IE on his box didn't have 128-bit encryption but NS/Mozilla did.

Grammar?

[derch]

Okay, I am getting tired of seeing obvious typos and grammatical errors here. So many Slashdotters feel they are more intelligent than the average user and the unwashed masses, yet the editors and the submitters can't properly proof read stories. The editors can't even be bothered to edit a story after a major typo or when posters plainly point out an article is flat our wrong.

While I'm complaining about Slashdot, when did qualitative kharma replace quantitative kharma?

(If this post contains errors, feel free to point them out. I don't care about grammar in comments. My main concern is decent English in the article write ups.)

Re:Grammar?

[derch]

The editors should gladly fix mistakes in the posted articles just as they gladly praise companies and groups who quickly release bug fixes. Afterall, an error or typo in a write up is an bug and leads to user error and misunderstanding.

How much do we Slashdotters need to complain to our vendor before they'll address these known bugs?

Re:Grammar?

[Old+Wolf]

Well you got 'karma' wrong, for a start. If you're going to criticize the editors (unpaid volunteers) you could at least put the effort in yourself to produce error-free material.

Re:Grammar?

[rpdc]

The editors can't even be bothered to edit a story after a major typo or when posters plainly point out an article is flat our wrong.

flat our wrong?? You sir, are a moron.

Interface this

[First+Person]

Now, in L33T SP34K:

Clearly, this is for you. As for your Scandanavian relatives with professional interests in cooking, you might suggest they visit this instead.

testing Moz 0.9.4 doesn't qualify as a test

[ChrisCampbell47]

Testing Moz 0.9.4 doesn't qualify as a test. Nor does slagging 0.9.4 bugs qualify as slagging Mozilla.

Somebody please turn this guy onto Mozilla 1.0!

Re:testing Moz 0.9.4 doesn't qualify as a test

[aftermath09]

Yea, no kidding. Why doesn't he just try milestone 6 out and say it's crap and doesn't support anything?

Re:testing Moz 0.9.4 doesn't qualify as a test

[jslag]

I see; and testing IE5 and IE5.5 is different how?

Because, dear troll, Microsoft alleged at their respective release times that IE5 and 5.5 were 'release quality' software, while moz made it clear that 0.9.4 was still undergoing development.

Re:testing Moz 0.9.4 doesn't qualify as a test

[Fjord]

Not to mention that IE5 and IE5.5 have had several security updates. While they aren't the most recent version of the software, they are still supported products. Not to mention the fact that IE5.5 is the highest browser a Windows 95 user can and will ever be allowed to use (the reason why our web application supports IE5.5, many corporate customers in our domain haven't moved from 95).

Re:testing Moz 0.9.4 doesn't qualify as a test

[bwt]

Agreed, especially because I personally submitted some of the SSL certificate bugs and they have been fixed (long ago, in fact). 0.9.4 is really old.

Re:testing Moz 0.9.4 doesn't qualify as a test

[OSgod]

Um...

Let's review. Open source product means it's beta for 6 years. Of course you can run it in production and many will because their is no open source alternative. Hence we will call it version .9x.

MS Software releases version 4.x. It's pretty good, supported but has some bugs. MS releases 5.0. It's better than 4.0, fewer bugs and still supported. MS releases 5.5. Better still and still supported. MS releases 6.0. Now we're cooking -- very nice and much fewer bugs.

Your choice was: open source -- beta for years and "unsupported" (community support but for a beta product which means THOU SHALT NOT RUN IT IN PRODUCTION) or MS release software -- relatively solid, improving with each actual RELEASE because MS has the guts to release it.

Hate them yes -- admire them as well. They release software. They improve their software through multiple iterations. They make money from it. All three things that many open source projects only dream of doing.

Anyone care to do a non-scientific poll of say, Source Forge, and find out how many products their are, how many are "release", how many are solidly beta, how many are stuck the quagmire of 1.0 (release but buggy and never having moved)and how many are truly alive? I think it would be interesting.

I'm not saying that MS will beat it -- but they do relatively active product management with a very visible management push behind their product lines.

Re:testing Moz 0.9.4 doesn't qualify as a test

[Fjord]

Or Netscape 4.7 or 6.0.

Do you admire Netscape as well. According to bugtraq, they aren't vulnerable (can't test on my own, unfortunately).

Re:testing Moz 0.9.4 doesn't qualify as a test

[OSgod]

Some of the technology -- yes. They founded a lot of the web (custom tags and all). I personally championed Netscape at a former employer to the point of purchasing (can you believe it) several hundred copies.

They dropped the ball big time as a company -- pretty much disolving completely.

Re:testing Moz 0.9.4 doesn't qualify as a test

[aftermath09]

What does ranting about the lifecycle of open source software actually have to do with the topic? So what if MS releases software MUCH faster? They should! They have a lot of cash to do it. This is about someone testing mozilla 0.9.4 and saying that they weren't sure whether or not it performed properly or just 'fluked' out, when there was a much more up to date version available. Why don't I just complain about IE 3.0 and say how crap it is? Also, the author's comment that mozilla is buggy casts a negative shadow on the program when it could be perfectly fine (IMHO anyway) in it's current incarnation.

Re:testing Moz 0.9.4 doesn't qualify as a test

[des09]

Mozilla 0.94 was a public beta. IE 5 /5.5 is production code. Thats the difference.

Re:testing Moz 0.9.4 doesn't qualify as a test

[cabbey]

This is afterall the register you're talking about...

Copywriting?

[shmigget]

"IE and Konqueror don't both to check the issuer ...." C'mon, Taco, get another pair of eyes on your copy before you post it.

Re:Copywriting?

[Czernobog]

Better yet, write a tool that has the intelligence to correct grammar and syntax errors. Heh.

Re:Whoah...

[elmegil]

This gives us a beautiful opportunity to demonstrate the advantages of open source over closed source when it comes to bugfixes. I'm really interested to see the results and whether reality lives up to rhetoric.

Incident response? Let the race begin!

[simpleguy]

Lets see how fast the KDE team fixes their software and how fast the Microsoft team fixes theirs. If its not already done that is.

Re:Incident response? Let the race begin!

[Chunky-Spinach]

09:08

According to #kde on openproject.net, an uncommitted fix already exists for Konqueror. I'm sure more details will be posted when it has been tested and committed.

Re:Incident response? Let the race begin!

"It's not 'fixed' until the 'fix' has been regression tested and it's known it doesn't introduce additional bugs. Oh, that's right.... that means almost no Free Software is ever fixed"

Amend that. Should be 'no software is ever fixed'

Re:Incident response? Let the race begin!

[tshak]

But will the KDE team have regression tested their fix?

Re:Incident response? Let the race begin!

[BlowCat]

This is not a pro-Microsoft comment.

Where do you want to go toady? Don't you trust the readers to decide?

Re:Incident response? Let the race begin!

[spitzak]

I suspect both KDE and IE have been fixed already. The race is to see who gets the fix to the users first. I suspect that technically KDE will win easily, but only people who do some annoying thing of updating will get it. In about 6 months there will be a Windows Update that will fix IE and at that time I would expect the percentages of broken versions of each program to reverse so that a copy of IE on a random machine is more likely to be fixed.

Re:Incident response? Let the race begin!

[taniwha]

actually the patch is in CVS - should be in the 3.0.3 bug fix release available at the start of next week

Re:Incident response? Let the race begin!

[Arandir]

Oh, that's right.... that means almost no Free Software is ever fixed"

Are you volunteering to start the KDE SQA Project?

Re:Incident response? Let the race begin!

But will the KDE team have regression tested their fix?

The real question is will Microsoft regression test their patch? Ask any Exchange or IIS admin about their wonderful patch testing system.

What are you paying Microsoft for again? Do you even know?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Interesting page

[PacoSuarez]

Take a look here. I specially like the last paragraph about "reimplementing" the bug.

Check the SecurityFocus thread about this here

[Otis_INF]

http://online.securityfocus.com/archive/1/286893/2 002-08-05/2002-08-11/1 (opens in new window).

It seems that it isn't TOTALLY browser related. Verisign and Microsoft both know about this error, according to the people in the thread. It's a good read with a lot of detailed info about the flaw and where the flaw exactly is.

Re:Check the SecurityFocus thread about this here

[MSG]

Yes, it is totally browser related. The post that you refer to says that MS doesn't plan on fixing it, but not that it isn't their problem. The problem lies in their PKI implimentation, and regardless of their public face's claims of focus on security and trustworthy computing, they're continuing their old habits of not fixing problems until their customers force them to.

"You"?

[saintlupus]

You say konqueror's affected?

No, _I_ say konqueror's a dreadful piece of shit. Or at least is was circa KDE 2.2.x -- haven't used it since.

Unless you meant "you" as in "all the Slashbots", in which case I would remind you that not everyone posting here is a filthy GNU hippie.

--saint

Damn.

[FreeLinux]

It's been 20 minutes now and KDE doesn't have the fix up yet.

This is just rediculous. Why are they taking so long? I don't have all day. ;)

Seriously though, with a long list of IE bugs still outstanding and Microsoft blaming Verisign, rather than fixing their software, I'll bet that KDE has a fix a month or more before MS.

Mozilla handles it correctly

[FooBarWidget]

A few weeks ago I ran into a site (forgot which one) that has a certificate belonging to another site. Mozilla detected that and displayed a warning dialog.

Re:Mozilla handles it correctly

[Negadecimal]

A few weeks ago I ran into a site (forgot which one) that has a certificate belonging to another site. Mozilla detected that and displayed a warning dialog.

That's not the problem.

In order to trust a "secure" connection, you need to know two things: 1) who you're talking to, and 2) that who you're talking to is who they claim to be. The warning you enountered involves the first - Mozilla found itself using a certificate that didn't match its domain. No good.

This vulnerability has to do with the second. A site certificate normally has to be digitally signed by a trusted source (Verisign, Thawte, etc). With this bug, you can sign and vouch for your own spoofed certificate.

Re:Mozilla handles it correctly

[FooBarWidget]

In that case, Mozilla is not vulnerable. Go to https://savannah.gnu.org/ and see it for yourself. The website is signed using a certificate created by the Free Software Foundation, which Mozilla doesn't recognize.

Re:Mozilla handles it correctly

[big_hairy_mama]

That page must not reproduce the bug in question (or maybe one of us is confused), but with IE-5.50, I get a warning that "The security certificate was not issued by a company [I] have chosen to trust." Then, I have to click proceed, after seeing the little yellow triangle.

Maybe this isn't the same bug, but if it is, then my non-updated IE is definitely not affected.

Re:Mozilla handles it correctly

[optikSmoke]

That is also not the bug (what your talking about sounds like FSF just self-signs their certificates). It is someone "signing" (or rather, spoofing the signing) of a certificate by a certificate authority the browser does trust, but the browser not checking with the authority to see if they actually issued the certificate (or at elast, such is my interpretation). Thus, if FSF had spoofed the signing of their certificate as being signed by, say, VeriSign, and Mozilla didn't give a warning, then it would be vulnerable.

The Joke

[JamesKPolk]

The only joke here is that so many people somehow trust these publicly held corporations more than they do the average person.

Let's remember that Verisign is the same company that plays dishonest tricks involving .com registrations.

if you install kde-bindings ...

[dlasley]

if you install kde-bindings for konqueror when you install KDE then it uses the mozilla engine to render HTML/CSS/JavaScript etc. when you surf. however, i don't believe installing kde-bindings exempts konqueror from this problem - Security is handled in a separate module within the Control Center. anyone know otherwise?

Re:if you install kde-bindings ...

[swright]

er no, there is an _option_ to use mozilla for rendering instead of khtml, but its not turned on by default.

'nother link

[Draoi]

.. to a buried page on the guy's own site. This shows a little more detail on how to get a test setup running.

The real bug is...

[stienman]

The real insecurity is that they trust Verisign by default.

-Adam

Re:The real bug is...

[Salsaman]

I wonder how secure .net will turn out to be then ?

Try it yourself right now ... here is what I saw:

[wherley]

If you hit the discoverer's web site using Mozilla 1.1b you get an -8183 error and it
will not display the page. Note this is not a complete spoofed-site demo unless you trick your DNS resolver into reporting his IP for www.amazon.com and pull up his page using SSL with that URL.

I would infer that Mozilla is correctly detecting the mistake in the certificate chain.

Notes on another practical demonstration of this bug are here.

Interesting resonance

[wiredog]

With this article from the Atlantic Monthly about Bruce Schneier and bad security.

Re:Interesting resonance

[Beryllium+Sphere(tm)]

That, by the way, is a really good article. Recommended.

Re:I blame Verisign.

[casings]

verisign isn't the only cert my main man. the fact is this IS a browser issue, because Opera (best written browser) isn't vulnerable to it.

Fess up...

[T3kno]

Ok, who stole code from who?

Re:FP

[gazbo]

I can't believe MS have got yet another bug. Their software has just shown time and again that they have no idea how to write secure code. This sort of thing will take them months to come up with yet another Windows Update.

This sort of teething problem is bound to appear in Konqueror and is not really that serious. No doubt it'll be fixed and patched within a few days (or hours if history is any guide!) it's situations like this when you see just how superior Open Source is as a paradigm.

Certificates aren't very effective to begin with

[defile]

Signed certificates simply state that Verisign trusts the company is who it says it is. That's about it. Signed certificates do not define whether your communications are encrypted or cleartext.

Signed certificates cannot prove that:

• The company you're purchasing from is trustworthy
• The certificate wasn't stolen
• Verisign wasn't tricked into signing the certificate (which has happened)
• An attacker hasn't redirected your connection to some other site from the backend (think PHP fopen())

Many companies don't bother with having their certificates signed. It's pricey, an administrative burden, and doesn't really increase security. I'm annoyed that browsers have been swept into warning you if the site you're visiting doesn't support Verisign's cash flow.

It hardly makes SSL a "joke"

[ergo98]

About 99.999%+ of the primary uses of SSL/TLS out there are for transport encryption, not for site authentity verification, and this does nothing to reduce the security of the transport encryption.

Indeed, the site authentity thing is the way Verisign and friends get away with charging ridiculous amounts to spin off a key pair. I'm not saying that it's a useless service (it is nice to know that I'm talking with my bank versus the incredibly remote scenario that someone hijacked their domain), however that feature is pretty low on most people's importance list.

Re:It hardly makes SSL a "joke"

[acceleriter]

And the fact that the browsers come pre-loaded with certificates from the big players, and throw up a big FUD dialog box that implies to a non-technical user that their communications are somehow insecure is basically a protection racket. "Sure, you can self-sign, but your users will be calling your technical support desk and may be a bit worried about your security. Are you sure you don't want to use our services?"

Re:It hardly makes SSL a "joke"

[anthony_dipierro]

About 99.999%+ of the primary uses of SSL/TLS out there are for transport encryption, not for site authentity verification, and this does nothing to reduce the security of the transport encryption.

Umm. No. You are wrong. If you don't authenticate the person you are talking to, then you are vulnerable to a man-in-the-middle attack and the security of the transport encryption is nil.

Re:It hardly makes SSL a "joke"

[ergo98]

Ummm. No. You are wrong, or at least you decided to take my point out of context. As mentioned, saying SSL is "junk" when the transport encryption is unaffected is just plain dumb. Someone could very well have a master signing certificate from one of the major authorities right now....OH MY GOD! THE SECURITY OF SSL IS "nil"! Clearly it is useless, and can only work if we telephone every vendor whom we make a connection to and get a verbal confirmation...hrmm, how to confirm that the phone call went to the right place...okay, we'll telephone the vendor, and simultaneously telephone a third party who'll go to their office and cell phone us while monitoring them speaking with us. Now THAT'LL be secure. Oh, wait...

I have "authenticated" the person I'm talking to when I did a DNS lookup and direct my packets to their IP. Yes, I'm completely agreeing that it's possible to give bogus DNS replies, or to somehow intercede in the packet stream (MITM), but the likelihood of that is unbelievably remote (and performing overt acts like that is far more easily tracable and punishable than just doing a logged sniff). Note that most users do actually care that their shopping cart is encrypted, but virtually everyone just clicks past the "WARNING! This certificate is not valid!" warning.

Let me repeat: Saying that the security of transport encryption is "nil" is ridiculous panicky BS.

Re:It hardly makes SSL a "joke"

[anthony_dipierro]

As mentioned, saying SSL is "junk" when the transport encryption is unaffected is just plain dumb.

The transport encryption is affected.

Yes, I'm completely agreeing that it's possible to give bogus DNS replies, or to somehow intercede in the packet stream (MITM), but the likelihood of that is unbelievably remote (and performing overt acts like that is far more easily tracable and punishable than just doing a logged sniff).

I disagree. It isn't very hard at all to give bogus DNS replies. About as hard as sniffing a connection.

Let me repeat: Saying that the security of transport encryption is "nil" is ridiculous panicky BS.

I disagree. Note that I don't mean to imply that it renders online banking or credit card transactions unsafe. Personally I'd be willing to send my credit card numbers over a completely unencrypted network. But what I am saying, and what I stand by, is that this hole decreases the security of https transactions to those of http transactions.

Perhaps, as you seem to imply, it was already there to begin with, and https is just a marketing ploy to get people to feel safe about giving their credit card numbers over the web. Personally the only safety I assumed from https was that the web page I was connecting to was most likely not DNS spoofed. Any information I sent would be accessible by hundreds of employees anyway, so it's not like I'm going to send anything truly private to amazon.com. This kills that, at least for IE, which I rarely use anyway.

Re:It hardly makes SSL a "joke"

[ergo98]

I realize that you intended to reply to me so I'm replying here.

I completely agree that within the artificial environment of a corporation (or of a "OH MY GOD!" scenario setup), one can very easily redirect DNS (indeed, the whole idea of a proxy is by design a man-in-the-middle), however the people in charge in that case are equally capable of installing keystroke loggers/trojans on every workstation anyways. No one should consider anything typed on a computer you don't own to be safe, and I certainly wouldn't consider the authentication feature of SSL as my security blanket.

My point was that one can bring up countless, fanciful, worst case scenarios: People talk about viruses that rewrite your host file, as if SSL authentication would somehow protect against that: Such a virus/trojan could just as easily add their own trusted root certificates to your machine, or as previously mentioned they could just stick on a key logger and be done with it (why bother emulating a whole site or acting as a man in the middle when you already ownz the machine?)

Re:It hardly makes SSL a "joke"

[Jay+L]

Ergo, I'm curious, then - What is the point of traffic encryption, if not to stop somebody that's able to sniff your connection from reading your traffic?

That is, under what circumstances could somebody read your unencrypted traffic, but not now be able to perform a man-in-the-middle and read the encrypted traffic too?

From what I can gather, the answer is "none".

Heres a fix for IE....

[CrackerJackz]

If I understand the problem correctly

Tools -> Internet Options -> Advanced :

Check :
Check for publisher's cert revocation
Check server cert revocation
Check signatures on downloaded programs
*** Warn about invalid site certs

Ta-da, you not get a dialog box asking of you want to continue if you hit one of these sites (someone earlier posted a link to thoughtcrime.com)

Re:Heres a fix for IE....

[MikeBenham]

That doesn't fix the problem. You're not testing it correctly, contact me offline if you want to do some actual testing.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Certificates aren't very effective to begin wit

[PigleT]

"I'm annoyed that browsers have been swept into warning you if the site you're visiting doesn't support Verisign's cash flow."

I know the feeling... the only other problem is, though, how does the vast consumer-base out there deal securely online? It doesn't add anything to have to phone up to read out an SSL certificate fingerprint - you might as well just place the order over the phone!

Maybe what we need is a kind of web-of-trust like the idea of a PGP key-server, only for SSL certificates?

Re:Whoah...

[Anonvmous+Coward]

"... you mean Linux isn't 100% secure? How humbling!"

Doh...

"...user has given a Flamebait (-1) moderation to your comment, Whoah..., attached to IE and Konqueror Bug Makes SSL Insecure. Your comment is currently scored (0)."

I guess it wasn't, my mistake. Never mind that if I made that comment about Microsoft I'd get a +1 Funny.

Frankly, my feelings aren't hurt. If I'm going to get modded down for pointing out that Linux has it's own security problems, that's fine. I'm not the one who's pride's gonna bite me in the butt down the road.

How long ago did Mozilla 0.9.4 come out?

[aftermath09]

Did anyone notice how he mentions Mozilla 0.9.4 and totally neglects Mozilla 1.0?

Re:Certificates aren't very effective to begin wit

[esarjeant]

I can't agree more, SSL is really only practical for preventing intermediate parties from sniffing the wire and accumulating data in cleartext.

With that said, how is this attack any different than any other man-in-the-middle attack?

Re:Whoah...

[Anonvmous+Coward]

"Konqueror != Linux, unlike IE which IS part of Windows (see Microsoft's own testimony in the antitrust trial)."

It still comes with KDE. Now, to be fair, it's not as interconnected as say Outlook is to IE. However, SSL is a typical browsing mode that has to be secure. Just because the problem exists, it isn't anymore a vulnerability to Windows than Konqueror is to Linux.

However, that is far from the point I was making. The point I was making was that security on any OS or browser is a myth. Switching to Linux doesn't make your computer more secure, it makes it more obscure.

The only reason that hasn't harshly been demonstrated yet is that Linux users are few and far between compared to Windows or even Mac users. So Windows bears the most of the brunt of the effort put into taking it down. Trust me, if/when Linux has it's day, it'll have it's share of security related issues as well. I don't care if you disagree with me on that point or not. However, you're not doing yourself any harm by treating your computer as though it is vulnerable, and take sensible precautions.

Overall Impact

[photon317]

Please beware that the overall impact of this problem is relatively minimal. The sky isn't falling. What this allows is a man-in-the-middle attack without the usual telltale browser confirmation box that one sees when using an unsigned certificate. The attacker still has to get on the network between you and the website and essentially transparent-proxy your connection through a rogue ssl proxy to make this all work. For the most part people with this level of network access for wide numbers of people are not so devious as to actually do this for profit.

On another note - if they did a traditional man-in-the-middle SSL attack, it might be very hard to track down who did it, but it would be very easy to tell it was being done (because you'd get a browser warning about the certificate not being vaild for this site and/or signed properly). With this new approach, you get no browser warning, but it's presumably easy to track down the culprit, since the certificate signing chain will include a legitimate cert issued to the attacker that can be queried at Verisign or whoever they used - unless they steal a cert from someone else.

Re:Overall Impact

[kalidasa]

The attacker still has to get on the network between you and the website and essentially transparent-proxy your connection through a rogue ssl proxy to make this all work.

So, https://store.micros0ft.com/ won't do it?

Re:Overall Impact

[greenrd]

Oh yes, credit card thieves would never go so low as to steal a random certificate...

Re:Overall Impact

[KjetilK]

The last time my bank changed certificates, I called them up and had them read the fingerprint to me. Seems like a good thing to do, I figured. It was the first time anybody had called about that, but they did find it after half an hour on the phone, and the guy in the other end did understand the value of it. Really, I would like all their offices to have those fingerprints on paper, so I can go there and check.

Re:Overall Impact

[photon317]

Most of the above attacks aren't unique to this bug though, that's the problem. If you can root the client or server, you don't need this bug. If you can modify the DNS records, you don't need this bug (well, you can at least get all the new clients, maybe not the ones who saw the cert once already).

What's unique is that previously if the client, server, and DNS were well-secured, then the only viable remote electronic attack was by a physical man-in-the-middle on the intervening network, and that attack would cause a warning to the browser (which many would sadly just click past) - now with this bug, the browser warning goes away.

Re:Overall Impact

[shess]

For some reason, I was under the impression that preventing man-in-the-middle was one of the primary _points_ of public key crypto. You're saying that if the end-user isn't paying attention, they were exploitable in the first place. The problem is that now if the end-user _is_ paying attention, they're also exploitable.

Re:Overall Impact

[photon317]

If you can slip in code, you don't need this bug.

I'll give you 2 new attacks, but not 3 :)

1 - raw network man in the middle - this bug kills the browser warning.

2 - DNS Spoof - ditto, it kills the browser warning for you.

In both cases though, the attack was possible to begin with - you've just eliminated the warning, that again I think most bulk users would click through.

Re:Overall Impact

[bwt]

What this allows is a man-in-the-middle attack without the usual telltale browser confirmation box that one sees when using an unsigned certificate. The attacker still has to get on the network between you and the website and essentially transparent-proxy your connection through a rogue ssl proxy to make this all work.

Any IP address can be "between you and the website". All he has to do is to get you to click a link to his site while giving the impression you are going to the desired site.

Spammers do this all the time: send a spam saying you need to change your bank password because it is expiring and providing the link to YourBank. You click the link, which goes to the middleman (I used slashdot just to illustrate), which identifies itself to you as your bank using a falsely certified cert.

He can simply forward all commands that you send to your real bank while he captures the data. If you've already fallen for it by going to his link, then you won't notice until months later when your cash disappears.

He uses a stolen CA'd cert and a hacked box for the middleman and is therefore completely untraceable.

Re:Overall Impact

[mjh]

The attacker still has to get on the network between you and the website and essentially transparent-proxy your connection through a rogue ssl proxy to make this all work.

I don't think so. All the attacker has to do is mimic the looks of the site enough to be convincing. At which point getting you to go to the wrong site is realtively easy. DNS is UDP based. So if I want to convince all users at my ISP that www.amazon.com is at my IP address, I simply generate a DNS request for www.amazon.com to my ISP's DNS server, immediately followed by a reply that appears to come from one of amazon's DNS servers. I can even set the TTL to something fairly large. I've now effectively poisoned the DNS cache of my ISP's DNS server, so that when anyone from my ISP wants to go to www.amazon.com, they go to my machine instead.

Getting in the middle isn't really that hard. It used to be that getting in there w/out triggering the SSL verification was hard, but now it's not.

Re:Overall Impact

[Rob+Parkhill]

Actually, this could have a huge impact on the current SSL Certificate Market.

To start with, I worked for Entrust for many years. It was my job for 1.5 of those years to run just about everything technical behind their SSL certificate business.

Now you see, a company can't just hang out a shingle and start selling SSL certs. First, they need to have their root cert 'trusted' by the browsers. How to do this is different with each company who makes a browser.

But even if you know all the right people to talk to, and you get your root cert in the next shipment of all the browsers, you still don't have much of a business since there are all of those annoying older browsers still kicking around.

This is why Verisign can charge more for a cert than a place like Globalsign or Entrust. They have their root cert in a much higher percentage of the browsers. Big companies eat that fact up. Why pay $150 to get 95% browser penetration when for only $349 you can have 99.5% penetration?

Verisign's entire SSL cert business is based on this. The near impossibility of anyone else entering this market within the next few years allows them a virtual monopoly. (90% of the market? it's dropped a lot since the $45 certs started coming out.)

Now, however, something terrible has happened. It seems that 90% of the browsers in that 99.5% penetration number can't be trusted (these numbers pulled directly from my ass... just using them as a rough example.) There is a serious flaw in the SSL implementation. What this could do is reset the playing field. No longer does Verisign have that 10-year head start getting their root certs into the browsers. If it comes down to everyone with IE needing to install a patch, and most likely upgrade to a newer version of IE, they lose their biggest selling point. Their sales types are losing sleep over this right now.

Suddenly that company selling SSL certs for $45, but with only a 85% browser penetration, is looking pretty good. Since you shouldn't trust all of those old browsers that fall into the 15% that are not supported by these cheap SSL certs, why bother spending the extra $300? Hell, some SSL cert companies can turn around a cert request in a few minutes now since they have basically stopped doing any verification other than domain ownership. (Just put an "ou=this domain has not been verified" in there to keep the lawyers happy.) $45 certs in 15 minutes instead of $349 certs in 3-5 days? Sign me up.

Whoops, there goes the SSL certificate market.

I'm sure that Verisign and MS will spin this to reduce the damage, but the fact that this exploit exists means that you simply can't trust any SSL website while using one of these broken browsers. Well, you can study the certificate chain yourself and look for irregularities, but come on, I doubt that even 1% of the -slashdot- crowd knows how to do that, let alone the general web-surfing population.

Sometimes I'm glad I'm not in that business anymore...

Re:Certificates aren't very effective to begin wit

[MikeBenham]

Normally when a man in the middle substitutes his own certificate for the original destinaton's, the browser will pop up a huge warning dialog saying that the certificate isn't signed properly or that it is named incorrectly. With this vulnerability, that doesn't happen. You can exploit this vulnerability to "sniff the wire and accumulate data in cleartext." See sslsniff: http://www.thoughtcrime.org/ie.html

The Win32 API isn't fundamentally flawed...

[dave-fu]

...any more than gcc is "fundamentally" flawed because it allows the use of sprintf() and sprintf()s have been the cause of countless buffer overflows.
Good developers use the tools, bad developers end up getting abused by them. The concepts of how to properly use them have been kicked around for years; if a programmer decides to use an inherently insecure protocol as a security mechanism, whose fault is it? I suppose it depends on whether we're developing for Microsoft or *nix, eh?

Re:The Win32 API isn't fundamentally flawed...

[kasparov]

After more checking, I agree. You are correct. Win32 API is not fundamentally broken. It is again, an implementation problem. Thanks for pointing that out.

Re:Whoah...

[Lussarn]

Trust me, if/when Linux has it's day, it'll have it's share of security related issues as well.


Linux already has it's share of security related issues and they are handled very proffessinally and mature whenever they come.

On Linux there is no need to first call the issue a feature, then right out denying that there is an issue, then say that it is too hard to exploit and 6 month later get a fix anyway.

Thats why we like Linux and Open Source.

Translation:

[hklingon]

I buy a cert from Verisign.. and I'm trusted. And I issue certificates to my friends based on mine.. because I trust my friends. But Verisign isn't supposed trust my friends necessarily, because I do.

Messages are good

[iamacat]

Because basically it's equivalent to a plain HTTP connection. Even if you already have a valid key for a site stored, after I spoof it I can just send you a new one and you'll probably accept it as well. Even for the first use, the risk of attack may be small for you but not for the website owner that may see a lot of users sign up and be owned during a few hours when it's spoofed. Sorry, but I am not ordering from you with my credit card if you saved $150 rather than give me at least minimum assurance you are who you claim to be. At least Verisign has your credit card or bank account information. It could be that we need better CAs, ability to block ones we don't trust and at least one of them that issues free keys for non-profit sites that need security. But in the meantime, I would be happier if any well known organization can vouch that you are who you claim to be - even if you use CAs such as Microsoft, RIAA and Church of Scientology.

Re:Messages are good

[des09]

Mozilla allows deleting of CA's in the security preferences.If you decide not to trust verisign, just delete it from your list of trusted CA's.

I would like to see an extension to ssl whereby a third party can be consulted for a security audit of the cert chain. eg. as it works today, I type https://www.amazon.com, and my browser is presented with a certificate chain that is ultimately signed by CA x. Based on this the cert is verified, and my browser trusts that it really is talking to ssl.buymorepr0n.com, that no-one else can decrypt our conversation, and no-one can insert themself into the middle of the conversation.

I percieve this to be a problem because I have no choice in how much I want to trust CA x, and my browser. I get to either trust them both completely, or not at all.

I want to be able to send the cert that I recieve from amazon to a third party server that reviews the chain for any discrepancies, and checks its own crl list before giving me a thumbs up.

The thing that I find truly amazing is that visa and the banks all complain about how bad online fraud is, and how much it costs every year, yet they don't do anything to really dent the problem. Not even a decent customer education program!

Self-signing doesn't fix anything

[Sloppy]

Self-signing doesn't fix the problem. Instead of the it being signed by one mysterious party who nobody knows, it's signed by some other mysterious party who nobody knows.

A Web-of-Trust is the only way to really have much confidence that you're not being Man in the Middled.

Or to put it another way: SSL sucks, PGP rules.

Different standards

[greenrd]

Most people hold a multibillion dollar corporation to different standards than a ragtag band of volunteers. Is that so wrong?

Besides, the poster has a point. In case you haven't been keeping up lately:

1. Microsoft gets worried about their bad record in terms of security - reflected in anti-hacking insurance premiums amongst other things. Which are calculated by actuaries, of course - not random Slashdot posters.
2. Microsoft made a big song-and-dance to the press about their month-long code stoppage and security awareness initiative within the company.
3. Since then, has their security record improved? Does the fact that they have no plans to fix this bug, ever strike you as a little odd?

Contrast that to the fact that the Konq people already have a fix available for testing, and I think you'll find that even were we to hold a multibillion dollar corporation to exactly the same standard as a handful of volunteers - which would be absurd, in the general case - it looks like Konquerer is going to come out ahead.

People who bogusly defend multibilllion dollar corporations against altruistic volunteers annoy me.

Re:Certificates aren't very effective to begin wit

[gorilla]

Don't forget that the certificates cannot control the data once it's been uploaded to the server. How many attacks have their been where the DNS was redirected to a false server compared to how many have there been where the true server was compromised? SSL certificates are a solution to the wrong problem.

Re:Whoah...

[NanoGator]

Sorry bud, ya did write that in a Linux-unfriendly way.

I do agree with you, though. To assume that a system is any more secure than another system is ridiculous. You're just begging for a huge problem that way. It's nice that Linux is free from some of the common Windows issues that come up, but shit still happens. The true problem isn't defects in the design of either OS or application. The true reprecussions of an exploit used in a system are multiplied by the dependence on the system.

If it's really important for me to have a particular file, but I only have the one copy on my hard drive, then a Windows or Linux exploit's true danger cannot be measured by the loss of my file. If that file costs me my job, I can't say that anybody in particular is responsible for my lost wages. It's my own fault. I overly trusted my system. I didn't make a backup of the file. I didn't set up a firewall or take sensible internet precautions. Maybe I bought a defective hard drive. Who knows?

It doesn't matter which OS you use, you still have to be cautious.

Konqueror doesn't validate certificates at all

[phr2]

That's sort of a plausible security-convenience tradeoff, deciding not to validate the certs means you just want confidentiality and aren't worried about active MITM attacks. The convenience is you can browse sites with selfsigned certs without getting obnoxious cert dialogs. The SSL just gives you confidentiality, not authentication. It's maybe a little bit foolhardy, but at least you can imagine somebody deciding to do it that way even if you don't agree with it.

Going to the trouble of validating the certs but then not checking the CA attribute bits, like MSIE does, is just stupid.

This is truely wonderful - if lessons are learned.

[Observer]

Assuming the sources cited are accurate, we now have two independent misimplementations of SSL certificate handling, indicating that two purveyors of software that is entrusted with providing a secure (ie, private and authenticated) communications channel have screwed up in a way that suggests they did not understand properly what they were doing.

Rather puts buffer overflows into the shade, doesn't it?

As the late Professor Doctor Edsgar W. Dijkstra commented: "If you don't know what your program is supposed to do, you'd better not start writing it." RIP, a great man.

Which bank?

[jesser]

Which bank disallows IE?

Re:Try it yourself right now ... here is what I sa

[sehryan]

Uh, that website you mention...thoughtcrime.org...I hit it with IE6, and it gives me a warning saying "Everything checks out EXCEPT the address on the certificate does not match the address of the site trying to send it." Then it gives me an option of accepting it, rejecting it, or viewing the certificate.

How exactly is this a bug? IE saw a problem, reported the problem to me, and gave me options on how to handle the problem. If a user decides to hit "Yes" thats their problem, not IE's.

How do I get my key signed?

[yerricde]

A [PGP/GNUPG style] Web-of-Trust is the only way to really have much confidence that you're not being Man in the Middled.

I understand the advantages of PGP's model over SSL's, but under PGP's model, how do I get my key signed by somebody who does not live within a few kilometers of my residence? How do I, an individual who wants to send and receive secrets to another party who lives on another continent, establish a chain of key signatures from myself to the other party?

Re:How do I get my key signed?

[aminorex]

What you have is a statistical sampling of the
judgements of consumers of that key. Really,
a chain of trust is a silly idea anyhow, because
trust is modal. I may trust you not to cheat me,
but that does not mean that I trust everyone you
introduce to me not to cheat me. That's how
venereal diseases spread.

When we have a global relation store built on hash
circles, then you can fetch a record of all the
people who will rate a key, what modality they
are rating it in, and how they rate it.
As a result, you will be able to model their
likelihood of default in all well-defined
modalities, if the sample is large enough.

I sign the keys of people I know by phone, or
interact with entirely online on an ongoing basis.
I don't see what distance has to do with it.

Re:Certificates aren't very effective to begin wit

[Sloppy]

Maybe what we need is a kind of web-of-trust like the idea of a PGP key-server, only for SSL certificates?

That is exactly what is needed, and deploying it with Mozilla, has the potential to make it become mainstream very quickly.

Re:Try it yourself right now ... here is what I sa

[MikeBenham]

That URL alone isn't a full demonstration. Your browser notified you of a problem because it thought the web site was www.amazon.com, and you typed in www.thoughtcrime.org. You have to edit your hosts file:
66.93.78.63 www.amazon.com

For the full effect.

Re:Take that B of A!

[TeddyR]

One bank security official once told me unofficially wrt that is that the bank does not like the fact that the source is availible. To them, this means that anyone can compile the browser and "take out" some of the features that make the browser secure. Or trojan it to make an SSL connection, get the username/password, and dump it to a text file or send it remotely.

With the older closed browsers there is supposedly a much smaller chance of that happening.

Try Opera... Some of them disallow NS6, but allow opera...

Re:i don't follow you

[pi+radians]

[i]When did working flawlessly become a bad thing?[/i]

My point was that while Mozilla was accepted (which is good) and IE wasn't (which was funny, and a little relieving).

Sorry if you didn't understand.

You don't get it

[pclminion]

Sure, it boils down to whether or not I can trust you. But how do I know that your signature is *your* signature?

By consulting with a mutually trusted third party, of course. A similar concept as that of a notary public. (I said similar, not identical).

Trust centers such as Verisign make it a little simpler to verify identity: I don't have to personally check you out myself -- I accept Verisign's "voucher" that you are who you say you are, and therefore I offload my research responsibilities onto Verisign.

This is not a perfect system for many reasons. But you can't HAVE a perfect secure system. I think this system is about the best we have for now.

Re:Try it yourself right now ... here is what I sa

[karmawarrior]

Wrong error. The bug here is not that a website is saying it's X when in fact it's Y, it's saying that it's X and saying Z has said it's X and Z hasn't. So I assume what's happened is you typed in "thoughtcrime.org" into your browser, it identified itself as "amazon.com" and you got the error you're describing.

Now, do the spoof as he suggests. Edit your hosts file so that www.amazon.com has www.thoughtcrime.org's IP address, ie put in the line: 66.93.78.63 www.amazon.com into your hosts file. Where that file is depends on your system; in Unix it's in /etc, in Windows 9x it's in C:\WINDOWS (or whatever %WINDIR% is), in Windows NT it's something like C:\WINNT\System32\Drivers\etc. It's a plain text file. To confirm you've set it up right, type "ping www.amazon.com" afterwards, if it's pinging 66.93.78.63 then you're all set.

Now open your browser, and go to https://www.amazon.com/. If you don't get an error, your browser is vulnerable.

Re:Whoah...

[Reziac]

[laughing] Man, you got that one right... I have "excellent" karma, thus the +1 bonus, so my posts start life at +2 by default. The other day I posted a quick "how to keep your credit card a bit more secure in the event that it gets lost or stolen" and some moron modded it "Overrated", even tho it was still at its +2 default. Yeah, that took real modding skill.

Anyway... a bit to the topic at hand: my preferred browser is NS3.04, which is old enough that it thinks most of these Certs are no good anyway. To get to the test page, I had to jump thru all the hoops involved to get NS3.04 to accept the cert for this session only, and that meant going against the defaults in 5 or 6 dialog boxes before I finally reached the "you've been hacked" page. There's no way I could avoid noticing the problem!

Most users would have gone "Whoa, NS thinks this site is like really bad, let's not go there!"

Re:Whoah...

[GutBomb]

IE which IS part of Windows My solaris and mac versions of IE beg to differ with you there, buddy. The windows version is integrated into windows, however the versions on other platforms are simply regular applications (unless they are loading a windows implementation in the background just to run correctly)

Re:Certificates aren't very effective to begin wit

[mpe]

Signed certificates simply state that Verisign trusts the company is who it says it is.

Other than take money do they do that much to establish that the company is who they say they are.
Anyway the certificate can say that the company is A and the webpage can say it's company B. If the certificate is okeyed by Verisign the user won't even see the certificate by default.

Forget your friends... Re:Translation:

[Vortran]

"I buy a cert from Verisign.. and I'm trusted."

That's it. That's all you need. I bought a bunch of certificates. I'm very trustworthy. Most of the certificates I issue are registered to the likes of Daffy Duck and Mickey Mouse, but people still download my ActiveX controls and anything I sign with my extra-special digital certificates.

I'd say more, but I don't want a horde of drooling trolls from Verisign to ravage my feet and ankles.

Taking trustworhtiness to new heights... buy your own digital certificate TODAY!!

Vortran out

Re:Try it yourself right now ... here is what I sa

[Melantha_Bacchae]

I tried the thoughtcrime.org test with the browsers I keep around under OS X. Here are my results:

Mozilla 1.0: passed (the others are right, the error message could be more user friendly, but it worked)

Chimera 0.4.0: failed (no SSL options in Preferences, also an early version without many features)

Omniweb 4.1 (v422): failed (SSL options in Preferences)

iCab Preview 2.8.1: failed (no SSL options in Preferences)

By "failed", I mean displayed the web page with no error messages (which I presume is the test). Some of those that failed don't appear to provide SSL support in the first place.

OmniWeb doesn't have much excuse though, it appears to have SSL support, and it is not a beta.

It's beginning to look like Mozilla is the only one on the ball here.

"What I'm thinking is different from what you are."
Belabera, "Mothra 3" 1998

Re:Certificates aren't very effective to begin wit

[Jucius+Maximus]

"Signed certificates cannot prove that: The company you're purchasing from is trustworthy, The certificate wasn't stolen, Verisign wasn't tricked into signing the certificate (which has happened), An attacker hasn't redirected your connection to some other site from the backend (think PHP fopen()) "

This is what Thawte certs are supposedly for. The company officials from Thawte physically visit your location to determine if you are a legitimate business with an honest operation. (note: I don't know if Enron ever got a Thawte cert)

potential MitM there as well

[yerricde]

I sign the keys of people I know by phone, or interact with entirely online on an ongoing basis.

I understand how it would work by telephone (read the hex digits of the fingerprint) because the public telephone system is a reasonably secure system, but I don't see how it could work for signing a public key you see on somebody's web site. How do you know the connection over which your online buddy sends her key isn't tampered somewhere between her computer and yours?

Finally...

[Pr0xY]

it's about time that slashdot pointed out that it wasn't just a microsoft product that has the problem. I mean I love linux, but /. tends to be pretty damned biased :P

Re:Certificates aren't very effective to begin wit

[kingkade]

Correct, but signed certs certify that the public key contained within is actually the public key of that trustworthy organization (and not maliciuos Bob) and can therefore be 'safely' used to encrypt traffic upstream.

Also, versign is but one of several certificate authorities.

Obviously if you certificate to be 'stolen' you'd have to give up your private key, which is by definition private.

I may have misunderstood some your points somehow, though.

Re:Certificates aren't very effective to begin wit

[dmadole]

This is what Thawte certs are supposedly for. The company officials from Thawte physically visit your location to determine if you are a legitimate business with an honest operation. (note: I don't know if Enron ever got a Thawte cert)

No they don't. I've bought Thawte certificates for both a fortune-500 company I work for and also for my own one-man company and in both cases all I had to do was fax an authroization letter along with the corporate filing or articles of organization and supply a D&B number. Funny thing about that is I didn't even know my one-man company had a D&B number until I did this. They're apparently so easy to get it pretty much happens automatically after you're in business for a while.

Re:Whoah...

[Salsaman]

It's flamebait because it's not a security bug in Linux, it's a bug in Konqueror.

The encryption is still just a good

[KlomDark]

Using SSL to positively identify that the site you think you are connecting to IS the site you are connecting to, has always seemed a bit ridiculous. So many ways around it.

My biggest concern is to make sure my data is encrypted from point A to point B so that no one inbetween with a sniffer can get my data.

Sure, it'd be nice to be sure that you are really connecting to where you are intending to go, but the SSL approach is a complete failure, so anyone who depends on it is just asking to be slapped.

Give me encryption, and give me a way to make sure that I'm not being spoofed, but don't tie them together, they don't belong together and it's all kind of pointless.

This is not something new

[Satanboy]

I have seen this many times.

When I worked for a large ASP (app serv provider) we actually had problems with some servers doing this because of the way IIS was set up (misconfigured).

anyways, I always figured it was a security issue but I never trust anyone so it was never a big deal.

I have seen this particular exploit used a lot by things like comet cursor and other spyware/adware. They always say they are "trusted" from Microsoft. Funny thing is, since Mozilla I haven't seen any of this.

-hmmmmmmmmm

But if I were a master criminal....

[Confuse+Ed]

then I would:

1. outlay a bit of cash to set up or buy in to a business that let me provide a bit of the internet backbone.
2. One day substitute a computer doing a man-in-the-middle attack on a selection of banks and online share-dealers for one of the routers (or simply insert it between two running routers, if there is nobody around to notice the extra box). It doesn't need to do anything clever - it can just act as a proxy to the to the intended receipient (forwarding all the incoming http requests in new ssl connections) and log everything.
3. After a suitable length of time, swap out the router and take the logs away, hopefully before anybody discovers the attack so that nobody even knows that it has happened.
4. At you leisure, go through the logs and pull out peoples account information, usernames and passwords from the logs, then use them to log in and buy/sell/transfers shares and money to your hearts contents (obviously anyone doing organized crime on this scale will also need to set up some kind of money laundering scheme to make the money untraceable)

The chances of being discovered during the time that your conducting the attack can be minimized by parsing the http headers for the browser type, and only attempting the attack for clients using vulnerable browsers. This way you could leave it in operation for longer, and steal more information.

So what have I missed here? is there some other aspect to this that makes it more complicated than I've made out? stealing the certificates was meant to be the difficult part, getting access to the network is not difficult if you are big enough, and creating a transparent-proxy is going to be relativly easy.

oops, correction

[Confuse+Ed]

Somewhere there I wasn't thinkging straight:

Obviously you can't parse the http header for the browser type until after you've already set up the ssl connection, which you won't have been able to do if the browser was not susceptible .....

However, the attack would still work, you just rely on grabbing enough passwords and stealing enough money before being discovered and shutdown to make it workwhile.

also re:
> that your conducting
should read
"that you're conducting"

Re:Take that B of A!

[Centove]

If by 'B of A' you're referring to Bank Of America, it works fine for me with mozilla 1.xx and various nightlies (no I'm not spoofing the browser ident either). And I _do_ use the online bill pay stuff.

*shurg*

Fix is in KDE CVS

[Parys]

According to the recent email to the kde-devel mail list, the fix for the SSL vulnerability is in KDE CVS and the stable KDE 3.0.x branch and will be part of the 3.0.3 release next week.

Re:Certificates aren't very effective to begin wit

[Jucius+Maximus]

"No they don't. I've bought Thawte certificates for both a fortune-500 company I work for and also for my own one-man company and in both cases all I had to do was fax an authroization letter along with the corporate filing or articles of organization and supply a D&B number."

Interesting ... I read an account from one company where the Thawte people actually physically came to the premesis (a computer equipment + mod/cooling + hotrodding shop) and verified that they were a real legitimate business. If you browse the linked site's news archives, you'll see mention of it.

Re:Whoah...

[petard]

Actually, you are correct about the mac version but the solaris version does load a win32 implementation just to run correctly.

Re:Take that B of A!

[roca]

> With the older closed browsers there is
> supposedly a much smaller chance of that
> happening.

Completely wrong. With a little practice and the right tools it's easy to understand and modify binaries. The idea that binaries are somehow "hard" to work with is a pervasive myth that has no basis in reality.

In this kind of situation, i.e., an opportunity to install some trojan, I wouldn't even bother trying to modify the browser, whether I had the source or not. I'd just inject a keyboard sniffer into the user's system.

Re:Whoah...

[cortana]

Interesting point. Although I beleive that IE for Solaris does emulate/whatever the term is portions of the Windows API, IE on the Mac shares only its name with its Windows counterpart.

Would you care to try the demonstration exploit for IE on the Macintosh, and post results?

It's still Monday morning!

[Bassman59]

The problem lies in their PKI implimentation...

Re:Whoah...

[TrentC]

It still comes with KDE.

"Comes with" is not the same as "integrated and running". I don't have a lick of KDE on my Linux box anywhere.

Jay (=

Re:Try it yourself right now ... here is what I sa

[Egoine]

>Wrong error.

No.

I tried with moz1.1beta and I get the -8183 error.
Not vulnerabl (I did change my host file and ensured IE 5.5 is vulnerable).

Useful for employer monitoring

[BoVLB]

This sort of attack does have one interesting use. A company that wants to transparent-proxy (and hence monitor) all of its employees' web-browsing can now interfere with SSL connections.

Re:Whoah...

[Anonvmous+Coward]

This flaw does not expose Windows to any more problems than is exposed to Linux. If I'm running Opera on Windows, it's not an issue unless Opera itself also has the issue.

To put it simply: This is not a devastating blow to my point.

Fixed in Konqueror

[sc0rpi0n]

Message on kde-devel:

Date: Mon, 12 Aug 2002 10:22:55 -0700
From: Waldo Bastian
Subject: SECURITY: Konqueror SSL Vulnerability
To: kde-devel@kde.org, kfm-devel@kde.org

Konqueror (kssl to be precisely) fails to detect certificates as invalid that
have been signed by an issuer who is not allowed to do so. A patch for this
problem has been commited to both the CVS HEAD branch and the KDE_3_0_BRANCH.

KDE packages for the upcoming KDE 3.0.3 release will be updated to include
this fix. We hope to have binary packages for KDE 3.0.3 available by the
start of next week.

Thanks go to Mike Benham and Gregory Steuck for alerting us to the problem.

See also:
http://online.securityfocus.com/archive/1/2 86895/2 002-08-08/2002-08-14/1
http://slashdot.org/articl e.pl?sid=02/08/12/134123 9
http://www.theregister.co.uk/content/4/26620.ht ml

Cheers,
Waldo

Well I see /. says a "fix" is available now...

[gamorck]

if you're using KDE from CVS, the fix is inside or you can wait to next week for KDE 3.0.3 (which will have more fixes for KDE 3.0). Thanks to Waldo bastian for the blazing fast fix (95 minutes since it was reported). I wonder when MS will release a fix.

Considering it takes an entire afternoon to compile KDE 3 I'm pretty sure that ZERO testing went into this so called fix. Wow what a great job by the Open Source community. Its bad when MS releases a Service Pack that BSODs your box, but its okay when some developer without half a brain uploads a fix that he obviously didnt even bother to test. The funny part is that its in CVS and that means about 0.00001 % of all KDE users are going to upgrade to it before there is an official release. Somebody please point out the easy to install hotfix binary so I dont have to redownload and recompile the entire KDE suite. Ooppps! I guess ya can't can you? I guess that means that for all intensive purposes neither MS or KDE have a widely available fix for this yet. Another victory for Open Source! J

Re:Well I see /. says a "fix" is available now...

[HeUnique]

Well, the issue has been known to Waldo Bastian for the last 2 days and he fixed in on both KDE HEAD and KDE 3.0.x branch, and he's now fixing the KDE 2.2.2 branch (for people who preffer to stay with KDE 2.2.x yet).

The patch HAS been tested in the last 2 days, but it took 95 minutes to post a fix since the story was released..

Thanks,

Re:Well I see /. says a "fix" is available now...

[talks_to_birds]

Wow!

/. breaks new ground in the realm of not-free speech!

Posts are now pre-moderated!

What was the offensive term?

"M$"

or

pimp?

t_t_b

Re:Well I see /. says a "fix" is available now...

The funny part is that its in CVS and that means about 0.00001 % of all KDE users are going to upgrade to it before there is an official release. Somebody please point out the easy to install hotfix binary so I dont have to redownload and recompile the entire KDE suite.

First it has to be programmed, you are inside the whole fixing process, maybe this is new to you.

The fix is programmed now, this means that for example Red Hat must now release a security fix for its users, the users could get the fix using the normal update feature of there distribution.

Re:Well I see /. says a "fix" is available now...

[WzDD]

>Considering it takes an entire afternoon to compile
>KDE 3 I'm pretty sure that ZERO testing went into
>this so called fix.

Since this person is a KDE developer, it's highly likely that he has a build tree already. I hardly think it takes an entire afternoon to recompile a single Konqueror object file and then relink libkonq.

And as the AC pointed out, it's "all *intents* and purposes". Your version is not merely incorrect - it doesn't make sense, either.

Re:Well I see /. says a "fix" is available now...

[Vampyr]

There is a new version of KDE (3.0.3) due out in about a week, which will obviously contain the fix, and will have been very thoroughly tested by then. It's up to your distributor to package a binary fix for older versions.

The fix does not require a full rebuild of KDE, only a small portion of kdelibs, and takes just a few minutes to recompile and reinstall. Some of us sat up until the early hours, doing copious testing (of both a patched kdelibs, and a full rebuild of kdelibs.) It's the nature of open source that testing is done after the fix is distributed to the developers in CVS, Waldo announcing it to the lists was the quickest and best way to get more people testing and quickly.

MS doesn't have the guts...

[Steveftoth]

They only see the dollar signs. It's not like they are 'braver' then the Open Source projects to call IE release quality. The OS guys are just more honest, instead of saying 'yes this software will solve all your problems, it never crashes, and runs really fast. We are sure that this software will work.' The OS guys say, 'this is what we've encountered, here's the performance metrics (if there are any) and here's the code, have fun, but we don't ensure this software to work in all cases.' MS charges an arm and a leg for the software that you can't even get a bug fixed on.

BTW, SourceForge is not where people go to release software into the wild, it's where people who have an itch to scratch in the software world go to try and get more people to help them. If you are good enough to write quality software by yourself you are not going to SourceForge.

Today, the only reason that I don't like MS is that they are really starting to force you to upgrade your software more and more often. I would like to be able to put together a system and not have to slowly upgrade it, but rather:
build it,
use it,
when it becomes not useful, toss it (or give it to someone else)
not the MS way which is
build it,
use it,
upgrade it, (repeat until machine is too slow to use)
toss it.

I hate upgrading for no good reason. Being forced to upgrade software or hardware without getting new features is the pits.

Opera

[An+Audience+of+One]

I've got the latest version of Opera - and it doesn't complain about the certificate. It doesn't actually load the site mind you - you don't get a page that you can view the source of. Possibly also vulnerable.

Oh, and IE 5.0 did complain about the certificate being invalid

Win2kSP3

Funny that this comes out just over a week after Win2kSP3 is released....

Re:Certificates aren't very effective to begin wit

[kcbrown]

It doesn't add anything to have to phone up to read out an SSL certificate fingerprint - you might as well just place the order over the phone!

This isn't true at all.

When you phone up to get the SSL fingerprint, all you're doing is asking the company for data that is already public, but doing so in such a way that you can reasonably be sure that you're getting it from the official source. This transaction doesn't involve any private, sensitive data at all.

If you then use the certificate to conduct a business transaction, the sensitive data (credit card data, for instance) will be encrypted end-to-end using the now trusted certificate so that eavesdroppers cannot intercept that sensitive data (and the fact that you're using a verified certificate prevents man-in-the-middle attacks).

So the end result is quite a bit more secure than simply placing the order over the telephone, since it is possible to tap a telephone line without either end knowing about it.

Issue a fix in 95 minutes

And then wonder how long it will take Microsoft?
I hope Microsoft puts it through some sort of testing and Q/A process. 95 minutes to fix a serious security hole is stupid. You point out a problem with open source, lack of Q/A & testing, and hold it up like it is an advantage.
But then again, it took Mozilla how many years to but out the buggiest browser ever?

Yeah! Ungrammatical posts are, like... bad.

[SlowMovingTarget]

Yeah!!

All those people ought to be using Microsoft Word to edit their posts so it puts that little green squiggley underline thingy...

Oh... Never mind.

Translation

[0x0d0a]

Translation: KDE's open-source dev team blows MS's out of the water in bug fixing.

Re:Try it yourself right now ... here is what I sa

[Mike+McCune]

I got the same error using Mozilla 1.1b.

I also tried IE 5.5, Konquerer 2.2.2 and Lynx 2.8.5. They were all fooled by the spoof. One thing you can do is view the certificate and it will show the spoofing web site in the certificate chain. This could be a work around for the really paranoid.

Also, keep in mind that the spoofer has to have a valid certificate in order for this to work. The spoofer would have to either get a certificate (and risk getting caught) or steal one.

Re:Try it yourself right now ... here is what I sa

[VertigoAce]

I tried this with IE 6 and Mozilla 1.0rc3 (both on an XPpro box) and both give the same results. They both show the thoughtcrime.org website without any error message or anything. Admittedly my Mozilla version is out of date, but it still seems vulnerable.

Re:Try it yourself right now ... here is what I sa

[WzDD]

Opera v6 also works: "The server's certificate chain is incomplete, and the signer(s) are not registered". Mozilla on my system gives error -8183 for the same page.

[OT] Your sig

[extrasolar]

What does your sig mean? Does it mean anything at all?

Please, its driving me crazy.

Re:[OT] Your sig

[T3kno]

If you have MSN instant messenger with the emoticons on, type it in a see what you get.

Re:Certificates aren't very effective to begin wit

[PigleT]

"but doing so in such a way that you can reasonably be sure that you're getting it from the official source."

So let's see... I google around for "soundbug UK" as something I recently wished to purchase, find a sponsored link pointing me at a site I've never heard of before, get as far as the obligatory https:// part, take a phone number from the site, phone them up say "what's your fingerprint?" ....

Spot the flaw?

Phoning someone up out of the blue adds nothing to the trust factor at all. You need for the out-of-band communication to be trusted for external reasons (e.g. recognizing their voice on the phone) before you can trust them. That's why I might as well save time and place my order while I'm at it.

That's where I think a web-of-trust would win; at the very least you've added in the potential for scoring, or "if it's good enough for my mate Dave, it's good enough for me", with the strength of the crypto-key signature pulling your trust up towards 100% instead of it dropping off with more levels-of-removal from the original trust-er.

Re:Certificates aren't very effective to begin wit

[kcbrown]

So let's see... I google around for "soundbug UK" as something I recently wished to purchase, find a sponsored link pointing me at a site I've never heard of before, get as far as the obligatory https:// part, take a phone number from the site, phone them up say "what's your fingerprint?" ....

Who says you have to get their phone number off their web site? If they have a phone number, then they should have a phone book entry, right? So you call the number in the phonebook. Now the attacker has to hijack the company's SSL sessions and their telephone lines -- a much more difficult problem.

Re:Certificates aren't very effective to begin wit

[PigleT]

And I have to have a phone directory for the area in question... That's not going to happen. At the very least, the effort required ("Hi bloke, can you look this up for me?", or trips to library, or even surfing around online through online phone directories - and note the trust required there) is such that it becomes worthwhile to start having key-servers to do the job.

Re:i don't follow you

[pi+radians]

hey, it was a monday and i was busy eating lunch... my mind wonders every now and then, sorry english police.

Re:Whoah...

[frankske]

unless they are loading a windows implementation in the background just to run correctly)

I don't know how much the win32 system they emulate, but I know that at least on solaris they "emulate" the entire registry!

Re:Try it yourself right now ... here is what I sa

[oomcow]

no, no, the vulnerability is that they can pretend that they are amazon.com even though they aren't really amazon.com.

doh! scratch that.

[oomcow]

my apologies, wrote my last post without fully understanding the situation.

basically, when your browser is connecting to https://thoughtcrime.org/ the site is sending out a certificate saying that they are www.amazon.com. internet explorer *does* catch this problem if you don't change the name entry (for instance in your hosts file) since the site is quite directly showing you a certificate that doesn't belong to it.

the real problem is revealed when you change your computer's association of the name www.amazon.com to point to thoughtcrime.org's machine. at this point, when you visit the fake https://www.amazon.com/ your browser receives a certificate that says it's from www.amazon.com and indeed your computer thinks that www.amazon.com is that machine.

so the real problem is that at this point, internet explorer (and yes, konqueror) doesn't check the chain of who issued the certificate, it just sees that the certificate seems to match the dude who's showing it to you and proceeds without an error. in fact, the certificate that internet explorer just accepted was manufactured by the folks at thoughtcrime, who are not the certificate authority dudes that should be the only ones allowed to issue certificates!

Re:Whoah...

[xchino]

Actually this has nothing to do with Linux. In fact, show me where Linux was mentioned as any sort of factor for this. No where. Not that Linux is 100% secure, .... only an idiot would believe any OS is inherently 100% secure.

Re:Whoah...

[Anonvmous+Coward]

I'm not referring to idiocy, I'm referring to zealousy. I've seen a whole lotta that.

So?

[jonadab]

> Unfortunately most clients/browsers seem to go out of their
> way to discourage self-signed certificates with error messages
> that sound like "This certificate was self-signed.

Yes, and at that point the user's eyes glaze over and if
he doesn't have a guru to call, he clicks any button at
random. VERY few users would deign to read the entire
message. The dialog probably has "Okay" and "Cancel",
plus the close box on the window frame. Since "Okay" is
the default button, it's highlighted, and hitting "Enter"
will select it too, so there's probably at _least_ a one
in three chance the user will hit "Okay". That's on the
first try. What is more, if the desired result is not
achieved the first time, most users will try again and
hit a different button.

Translation: SSL certs only matter to people who care
about security and privacy.

This is not helped any by the fact that older browsers
used to display a dialog that looked basically identical
to the users whenever any information was sent over an
unencrypted socket -- for example, every time the user
did a web search at an http site like Yahoo! Users who
have been around for a few years have learned to just
bop Okay whenever they see that dialog -- and they teach
this behavior to the newer users.

So users who don't know anything about security or privacy
(i.e., almost everyone) are fairly unlikely to be dissuaded
from visiting a site just because the certificate is invalid.
They're WAY more likely to skip a site because it uses a
plugin that didn't come preinstalled, or takes too long to
load during peak hours.