LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Konqueror and digital certificates

[Posted August 19, 2002 by corbet]

Here is an advisory from the KDE project regarding a flaw in Konqueror's digital certificate handling. It seems that Konqueror (along with certain other, proprietary web browsers) doesn't look hard enough at how a site's certificate was signed, meaning that anybody can fake a certificate for anybody else's site. Thus, with a little additional trickery, it would be possible to set up "man in the middle" attacks and steal credit card numbers.

The Register described this vulnerability as "a colossal stuff-up." Certainly the error is worth fixing, but anybody who is greatly concerned about this vulnerability would be well advised to look at the end of the "Certificates and Credentials" chapter in Bruce Schneier's Secrets & Lies:

I visited www.palm.com to purchase something for my PalmPilot. When I went to the online checkout, I was redirected to https://palmorder.modusmedia.com/asp/store.asp. The SSL certificate was registered to Modus Media Internatinoal; clearly a flagrant attempt to defraud web customers, which I deftly uncovered because I carefully checked the SSL certificate. Not.

All that SSL does in almost every use is to verify that the remote site has a certificate issued by a trusted authority. There is no verification that said certificate has anything to do with the site that the user expects to be interacting with. Man in the middle attacks are easily done even when the web browser properly checks how digital certificates were signed; the Konqueror vulnerability has not really opened up any new holes.

The real issue, which nobody is all that concerned about, is that the digital certificate system is not doing much for its users. Quoting Schneier again: "Digital certificates provide no actual security for electronic commerce; it's a complete sham." Konqueror users should go ahead and apply the patch (see the LWN vulnerability entry for distributor updates as they arrive), but it's not going to make them all that much more secure against man in the middle attacks.

(Log in to post comments)

Konqueror and digital certificates

Posted Aug 22, 2002 21:00 UTC (Thu) by hcobb (guest, #3145) [Link]

I think your article is missing part of the point that the Register brought to light.

SSL "security" backs up DNS (which isn't very secure).

In order to exploit this IE/Konqueror flaw the thief in the middle needs to subvert DNS and steal a certificate from elsewhere.

The user's browser then says say https://tithe.microsoft.com/ and the little lock shows secure, but the certificate is a fake, signed by the stolen certificate from https://www.clueless_company.com/ is used to falsely sign the fake certificate.

So you need to subvert DNS and then you can fool the browser completely and the user would need to look carefully at the certificate details to discover the truth.

"The Rooster, crowing at IT's cockups!"

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds