Here is an advisory from the KDE project
regarding a flaw in Konqueror's digital certificate handling. It seems
that Konqueror (along with certain other, proprietary web browsers) doesn't
look hard enough at how a site's certificate was signed, meaning that
anybody can fake a certificate for anybody else's site. Thus, with a
little additional trickery, it would be possible to set up "man in the
middle" attacks and steal credit card numbers.
The Register described this
vulnerability as "a colossal stuff-up." Certainly the error is worth
fixing, but anybody who is greatly concerned about this vulnerability would
be well advised to look at the end of the "Certificates and Credentials"
chapter in Bruce Schneier's Secrets & Lies:
I visited www.palm.com to purchase something for my PalmPilot.
When I went to the online checkout, I was redirected to
https://palmorder.modusmedia.com/asp/store.asp. The SSL
certificate was registered to Modus Media Internatinoal; clearly a
flagrant attempt to defraud web customers, which I deftly uncovered
because I carefully checked the SSL certificate. Not.
All that SSL does in almost every use is to verify that the remote site has
a certificate issued by a trusted authority. There is no verification that
said certificate has anything to do with the site that the user expects to
be interacting with. Man in the middle attacks are easily done even when
the web browser properly checks how digital certificates were signed; the
Konqueror vulnerability has not really opened up any new holes.
The real issue, which nobody is all that concerned about, is that the
digital certificate system is not doing much for its users. Quoting
Schneier again: "Digital certificates provide no actual security for
electronic commerce; it's a complete sham." Konqueror users should
go ahead and apply the patch (see the LWN
vulnerability entry for distributor updates as they arrive), but it's
not going to make them all that much more secure against man in the middle
to post comments)