Bug#525975: konqueror: Cannot verify SSL certificates as only the broken md5 digest is shown, must display SHA1 digest

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#525975: konqueror: Cannot verify SSL certificates as only the broken md5 digest is shown, must display SHA1 digest
From: Bernhard Reiter <bernhard@intevation.de>
Date: Tue, 28 Apr 2009 12:35:40 +0200
Message-id: <[🔎] 20090428103540.18358.21280.reportbug@localhost.localdomain>
Reply-to: Bernhard Reiter <bernhard@intevation.de>, 525975@bugs.debian.org

Package: konqueror
Version: 4:3.5.9.dfsg.1-6
Severity: important


As the md5 digest is broken enough [1], 
to verify a certificate a different digest should be displayed. 
Iceweasel also shows SHA1, this is what I think is best. 

Needless to say: This is a security issue with konqueror.

How to see the problem:
a) Try to go to https://debian.org/ (and make sure that you have not
   accepted the certifiacte or ca.debian.org before)
b) You get a question if you want to accept the certificate, press details.
c) The KDE-SSL-Information Konqueror window comes up.
Now you can only see the MD5-Digest.
Expectation: At least the SHA1-Digest should be shown in a detail. 

Note: the dialog might come from a different KDE packages, but the security
problem comes up with konqueror being used as a webbrowser, thus I believe this
is the right package to report against first.

[1] http://www.win.tue.nl/hashclash/rogue-ca/

-- System Information:
Debian Release: 5.0.1
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: powerpc (ppc)

Kernel: Linux 2.6.26-1-powerpc
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages konqueror depends on:
ii  kcontrol         4:3.5.9.dfsg.1-6        control center for KDE
ii  kdebase-kio-plug 4:3.5.9.dfsg.1-6        core I/O slaves for KDE
ii  kdelibs4c2a      4:3.5.10.dfsg.1-0lenny1 core libraries and binaries for al
ii  kdesktop         4:3.5.9.dfsg.1-6        miscellaneous binaries and files f
ii  kfind            4:3.5.9.dfsg.1-6        file-find utility for KDE
ii  libc6            2.7-18                  GNU C Library: Shared libraries
ii  libgcc1          1:4.3.2-1.1             GCC support library
ii  libkonq4         4:3.5.9.dfsg.1-6        core libraries for Konqueror
ii  libqt3-mt        3:3.3.8b-5              Qt GUI Library (Threaded runtime v
ii  libstdc++6       4.3.2-1.1               The GNU Standard C++ Library v3
ii  libx11-6         2:1.1.5-2               X11 client-side library

konqueror recommends no packages.

Versions of packages konqueror suggests:
ii  gij-4.1    4.1.1-20                      The GNU Java bytecode interpreter
ii  khelpcente 4:4.0.0.really.3.5.9.dfsg.1-6 help center for KDE
ii  konq-plugi 4:3.5.9-2                     plugins for Konqueror, the KDE fil
ii  ksvg       4:3.5.9-3                     SVG viewer for KDE
pn  libgcj7-aw <none>                        (no description available)
pn  libjessie- <none>                        (no description available)

-- no debconf information

Reply to:

Prev by Date: Re: Bug in Kick Off
Next by Date: Bug#525990: webkit crash if gtk-qt-engine enabled and browsing flash web sites
Previous by thread: Processed: fixed in svn
Next by thread: Bug#525990: webkit crash if gtk-qt-engine enabled and browsing flash web sites
Index(es):
- Date
- Thread