[kde-linux] Am I Alone?

Duncan 1i5t5.duncan at cox.net
Thu Oct 1 09:17:28 UTC 2009 

Anne Wilson posted on Thu, 01 Oct 2009 07:54:26 +0100 as excerpted:

> On Thursday 01 October 2009 00:53:37 James Tyrer wrote:
>> Anne Wilson wrote:
>> <SNIP>
>> 
>> > I've seen no such problem, so I can't comment.
>> 
>> Then go to:
>> 
>> http://capitalone.com/
>> 
>> 
> I did.  In konqueror.  It said that Capital One uses an invalid
> certificate and cannot be trusted.  It then asked if I wanted to
> continue.  I said 'yes' and it entered the site.

Hmm, interesting.

The URL as given is a simple http: URL -- not encrypted (that would be 
https not just http).  Simply clicking the link sends me to the site, not 
encrypted, no certificate because it's not encrypted, no problem.

If I then click around to find a login, I arrive at a secured (that is, 
https:) login page at https://servicing.capitalone.com/c1/login.aspx .  
That page returns a valid (by konqueror's report) certificate, registered 
to exactly that host, servicing.capitalone.com .

If however I change the original link to https, as so:

https://capitalone.com

THEN I get a prompt for invalid certificate.  Clicking details (which 
actually work this time), I can see why -- the certificate is issued to 
www.capitalone.com , while the site is actually simply capitalone.com (no 
www).  As konqueror's SSL info dialog says, "The certificate does not 
apply to the given host."  There are other issues with it as well, having 
to do with the fact that the authority's (Verisign's) certificate is said 
to be invalid, there's no certificate chain.

So there's no real problem here, except perhaps that ,onqueror doesn't 
have a valid certificate chain.  But since the cert doesn't apply to the 
host that's using it in this case (it's not a wildcard cert for the 
entire capitalone.com domain, but specifically for the www host, and the 
server I'm connecting to is NOT the www host), it's an invalid use of the 
certificate in any case, the details button works as it should, and I can 
see exactly why it's invalid, and make my decision accordingly.  
Everything is working as I'd expect it to on such a certificate, IOW.

What had me worried about the behavior previously, unlike here, is that 
on an initial attempt to connect to whereever it was (IDR where, other 
than it wasn't /that/ critical, not banking, etc, I think a bugzilla 
somewhere), konqueror would initially warn that the certificate was 
invalid, but would NOT return the details if I clicked the button to 
actually see the certificate details.  The warning dialog would 
disappear, and the details dialog would never come up.

OK, sort of.  But the REALLY worrying bit about it was that a second 
attempt to connect would go thru, no warning about an invalid certificate 
at all.  Since this WAS just a bugzilla or whatever, I wasn't too worried 
about it the first time.  I wasn't logging in or anything anyway.  I just 
looked up the bug I was looking up, and continued on my way.  However, it 
was the second time it did it, an hour or two later, that triggered the 
realization that it was dieing on the details of an invalid cert, AND THE 
SECOND ATTEMPT WAS GOING THRU WITHOUT A WARNING AT ALL!!

It's that second attempt going thru as if everything was fine that had me 
worried.  But since I already knew about the bug with https and 
certificate handling, and because I've voted on it, I'd get mail if there 
were any changes in the bug and I've not gotten any so I knew it was 
still open, I didn't worry about it further, just used it as an example 
to make my point about kde4 not (yet) being ready for ordinary users to 
use doing all their ordinary stuff, including online banking.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

More information about the kde-linux mailing list