Bugtraq mailing list archives
Re: AW: IE https certificate attack
From: George Staikos <staikos () 0wned org>
Date: Sun, 6 Jan 2002 12:11:14 -0500
On Thursday 03 January 2002 09:04, K.J.Mueller () EnBW com wrote:
could it be, that the text-browsers (lynx, links, w3m) don't even bother comparing the actual server name to the certificate's "issued for" entry?
Looks like Konqueror 2.2.1 (Mandrake Linux 8.1 + OpenSSL 0.9.6b) is also vulnerable. I've got no warning when entering on this page. I've tested it
The https implementation in Konqueror is incomplete. As of 2.2.2 it is much more complete, although the code to test CN=hostname doesn't work properly. This is fixed in KDE 2.2 branch CVS and KDE 3.x HEAD branch. KDE 3.0 should feature a more-or-less full HTTPS implementation finally. Most of the incomplete code and bugs in KDE SSL are documented anyways. -- George Staikos
Current thread:
- AW: IE https certificate attack K . J . Mueller (Jan 05)
- Re: AW: IE https certificate attack Florian Weimer (Jan 07)
- Re: IE https certificate attack Helmut Springer (Jan 07)
- Re: IE https certificate attack Jim Knoble (Jan 08)
- Re: AW: IE https certificate attack Ben Laurie (Jan 07)
- Re: AW: IE https certificate attack George Staikos (Jan 07)