[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Bug#11406: No warning of improperly verified server certificates
From:       Logi Ragnarsson <logir () logi ! org>
Date:       2000-09-21 14:59:52
[Download RAW message or body]

When contacting an https server and the server sends a certificate which
can't be porperly verified, i.e. doesn't have a certification chain leading
back to a known and trusted CA certificate, no warning is given.

This means that anyone can generate a server certificate with any name at
all and impersonate that server. I.e. server authentication is worthless and
only data hiding is left.

A half-way secure work-around would be to issue a warning the first time and
then to remember the certificate or a hash of the certificate for future
reference and give a very strongly worded warning if it changes. This would
reduce the SSL authentication to a level equivalent to SSH, but is much
better than the current system.

Logi
 
>> Visit http://master.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

[prev in list] [next in list] [prev in thread] [next in thread]