------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
         
http://bugs.kde.org/show_bug.cgi?id=149436         
           Summary: konqueror should default to permanently accepting
                    invalid certificates
           Product: konqueror
           Version: unspecified
          Platform: unspecified
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: general
        AssignedTo: konq-bugs kde org
        ReportedBy: v13 priest com


Version:           3.5.7 (using KDE 3.5.7, Debian Package 4:3.5.7.dfsg.1-1 (lenny/sid))
Compiler:          Target: i486-linux-gnu
OS:                Linux (i686) release 2.6.22-v2-v

I'm filling this as a 'bug' since it is security related.

Please read:

http://groups.google.com/group/mozilla.dev.security/browse_frm/thread/b3caff5eeab499d3/2252211f72247176

It is a request I sent yesterday to firefox developers. I'm also pasting it here:

------
Hello there,

  As you already know (:-)) when firefox visits an SSL enabled site and gets a certificate that cannot be verified, asks the user about the action it should take. The current actions are: Accept Permanentely (#1), Accept for Session (#2), Don't Accept (#3), having #2 as the preselected option.

  I believe that this (option #2) is the most insecure of all. Let me explain my thoughts:

* If the user reject the certificate then there can be no harm
* If the user accepts the certificate permanently:
  * The certificate may be valid and thus he will be protected for all future sessions, because a fake certificate will not match the already accepted one.
  * The certificate may be fake (man in the middle). If it is fake, they user most probably will find it out when he will try to visit the site at another moment in the future, when there will be no mitm attack taking place. Firefox will warn then about the wrong certificate and the user will be alerted.

* If the user accepts the certificate permanently is like drawing a lot. A user that visits an https-powered webmail site 4-10 times a day just increases the possibility of a mitm attack to succeed.

  Of course you'd ask 'who visits a site so often and does not accept the certificate permanently'. Well, my experience shows that there are many such people (I work as a sysadmin in a University).

  So I suggest (and kindly ask) you to:

a) Change the default option to #1 or #3
b) Discourage people from selecting #2 (even display a warning box)
c) Perhaps implement an aging (cache expiring) method to delete very old certificate and possibly add an option 'remember for 1 year', where each new visit will reset the countdown timer.

  All of these could be accompanied with a more alerting dialog box to be shown when there is a certificate mismatch.

Best regards,
Harhalakis Stefanos
------