Re: AW: IE https certificate attack

From: George Staikos (staikosat_private)
Date: Sun Jan 06 2002 - 09:11:14 PST

Next message: vps-support: "RE: Re : Fw: VERISIGN "PAYFLOW LINK" PAYMENT SERVICE SECURITY FAI LURE (#5947-000093-7546\939465)"

Previous message: Tozz: "Denial of Service flaw in Apache"
In reply to: K.J.Muellerat_private: "AW: IE https certificate attack"
Next in thread: Florian Weimer: "Re: AW: IE https certificate attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday 03 January 2002 09:04, K.J.Muellerat_private wrote:

> could it be, that the text-browsers (lynx, links, w3m) don't even
> bother comparing the actual server name to the certificate's
> "issued for" entry?

> > Looks like Konqueror 2.2.1 (Mandrake Linux 8.1 + OpenSSL 0.9.6b) is also
> > vulnerable. I've got no warning when entering on this page. I've tested
> > it

  The https implementation in Konqueror is incomplete.  As of 2.2.2 it is 
much more complete, although the code to test CN=hostname doesn't work 
properly.  This is fixed in KDE 2.2 branch CVS and KDE 3.x HEAD branch.  KDE 
3.0 should feature a more-or-less full HTTPS implementation finally.

    Most of the incomplete code and bugs in KDE SSL are documented anyways.

-- 

George Staikos

Next message: vps-support: "RE: Re : Fw: VERISIGN "PAYFLOW LINK" PAYMENT SERVICE SECURITY FAI LURE (#5947-000093-7546\939465)"
Previous message: Tozz: "Denial of Service flaw in Apache"
In reply to: K.J.Muellerat_private: "AW: IE https certificate attack"
Next in thread: Florian Weimer: "Re: AW: IE https certificate attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jan 06 2002 - 23:44:42 PST