KDEPIM 4.6 prob^Wimpressions

J janus at magicstar.net
Tue Jul 26 20:31:03 BST 2011


Alex Schuster
> J writes:
>
>> There is a transition going on between 128bit and 1024bit certificates.
>> This requires an intermediate certificate of authority.  Konqueror is a
>> stickler for this step, while Firefox, Safari, Chrome, and Opera aren't,
>> as they tend to bundle the intermediate certificate with their build in
>> chain.  When I install a new certificate for one of my webhost
>> customers,
>> I use Konqueror to verify that it has been installed correctly.  It is
>> the only browser that checks each and every step of the certificate
>> chain.  Technically any site that Konqueror complains about isn't
>> properly installed and isn't properly secured.
>
> Hey, cool! So Konqueror is leading technology again, at least in this
> area.
>
> If you don't mind, I have one more questions on this. How bad is the
> security impact? For example, my online banking site is
> https://banking.postbank.de , probably one of the most used banking sites
> in
> Germany. How big is the risk of using it? Would you do this? What can be
> done to minimize the risk? Other than using Firefox and simply not seeing
> the warning dialog :)
>
> Oh, and do others here also store sensible things like my online banking
> PIN
> in the wallet? Or is this considered too risky? Are there possible
> security
> problems with this?

Overall the security isn't a big issue, but the "trust" that comes from
the certificate is the issue.  The warning message means that the
certificate presented could not be matched up to the corporation (in this
case the bank) using the available chain of "trusted" certificates that
already exist in the browser or presented by the web server.   The
encryption is still there and does it's job, you just cannot be sure that
the bank actually sent this certificate to you or is some "man in the
middle" sent it instead.



>
> And there's another issue I wanted to mention, but now I cannot reproduce
> it. The dialog that asks me whether to accept the certificate used to
> appear
> every time I open such a site, even if I choose to permanently accept it.
> Seems like this is now sorted out somehow :)

I don't know about that one.  I had the same issue at one time and it went
away during one of the upgrades.


-- 
Janus
Services Administrator
Magicstar IRC network


___________________________________________________
This message is from the kde mailing list.
Account management:  https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.




More information about the kde mailing list