Re: AW: IE https certificate attack

From: George Staikos (staikos@0wned.org)
Date: 01/06/02


From: George Staikos <staikos@0wned.org>
To: bugtraq@securityfocus.com
Date: Sun, 6 Jan 2002 12:11:14 -0500

On Thursday 03 January 2002 09:04, K.J.Mueller@EnBW.com wrote:

> could it be, that the text-browsers (lynx, links, w3m) don't even
> bother comparing the actual server name to the certificate's
> "issued for" entry?

> > Looks like Konqueror 2.2.1 (Mandrake Linux 8.1 + OpenSSL 0.9.6b) is also
> > vulnerable. I've got no warning when entering on this page. I've tested
> > it

  The https implementation in Konqueror is incomplete. As of 2.2.2 it is
much more complete, although the code to test CN=hostname doesn't work
properly. This is fixed in KDE 2.2 branch CVS and KDE 3.x HEAD branch. KDE
3.0 should feature a more-or-less full HTTPS implementation finally.

    Most of the incomplete code and bugs in KDE SSL are documented anyways.

-- 

George Staikos



Relevant Pages

  • Re: [SLE] Launching YaST Modules Directly
    ... On Tuesday 17 August 2004 19:15, Randall R Schulz wrote: ... > KDE menu additions. ... Checking the "run as different user" button and entering ... "root" as the user to run as is another ...
    (SuSE)
  • Re: Went Back To Windows(R)...
    ... KDE doesn't support pressing Ctrl-Shift-u and entering the unicode ... number of the desired char. ...
    (Ubuntu)
  • [kde] different kde environment
    ... I would like to use different kde contexts, within the same kdm session. ... I guess i should create different .kde-directories and entering ... scripts as the following: ...
    (KDE)