A
serious flaw in SSL certificate handling reported by Mike Benham, affecting IE and Konqueror, has already been fixed by
KDE's Waldo Bastian, we're pleased to mention.
The fix is available only in the CVS (Concurrent Versions System) tree at the moment, but KDE reckons it will have patched binaries available for its 3.0.3 version, available early next week. A patch for KDE 2.2.x is currently in the works.
As for Microsoft? According to Benham they haven't even replied to him yet. Apparently, real Trustworthy Computing takes an enormous amount of time.
Conversely, the speed with which the open source community jumps on security bugs and sorts them out is remarkable, and ought to be a solid selling point. Consider the nearly miraculous turnarounds by
Mozilla.org on
this bug, and
this one. Consider a serious Apache bug fixed in less than 24 hours, though security sluts
ISS shanked
Apache.org with a premature-release
publicity stunt.
SSL, we should point out, is one of the most important consumer security protocols in use on the Web. It's what makes your credit card transactions with pr0n sites appear safe. It's what persuades you that sensitive personal data which you entrust to a Web site is a secret between you and them. Only it's broken. Mozilla isn't affected; Konqueror will be fully patched by Monday or Tuesday, and IE is vulnerable and in Limbo while MS tries to figure out how to explain it to the teeming millions who trust their products, in preparation for eventually fixing it. But the spin comes first. That's the meaning of Trustworthy Computing.
Where do you want to go today? ®