A problem has been discovered in the way in which the KDE webbrowser Konqueror handles SSL certificates. SSL certificates are used by websites to prove that they are indeed the website the user thinks they are. The following advisory has been released to bring this issue under the attention of all KDE users.
KDE Security Advisory: Konqueror SSL vulnerability
Original Release Date: 2002-08-18
1. Systems affected:
All versions of KDE up to and including KDE 3.0.2
KDE's SSL implementation fails to check the basic constraints on
certificates and as a result may accept certificates as valid that were signed
by an issuer who was not authorized to do so.
Users of Konqueror and other SSL enabled KDE software may fall victim
to a malicious man-in-the-middle attack without noticing. In such case the
user will be under the impression that there is a secure connection with a
trusted site while in fact a different site has been connected to.
Upgrade kdelibs to KDE 3.0.3. A patch for KDE 2.2.2 is available as
well for users that are unable to upgrade to KDE 3.
A patch for KDE 2.2.2 is available from