[daiyi666@yahoo.com]

Sorry for posting this again, especially since this is not an OW bug. But thus far I have not found any solution to this annoying problem. After installing a Cisco vpn client, I am no longer able to access https pages with any webkit browser (OW, Safari, Shiira). Camino and Firefox work fine, however.

I have tried uninstaling the vpn client manually (spotlight search) and through a sudo command in Terminal. It appears that the uninstall worked, but I'm still having problems with the browsers accessing https pages. Did all the other tricks as well. Still no luck.

Anyone else having issues?

Thanks.

PS It may not be the Cisco vpn client; others are having problems as well, especially after the latest security update. This bug makes OW impossible to use for secure sites. If anyone can offer any insights as to why WebKit browsers don't work but Gecko engines do, I would be most grateful.

[zottel]

Did you send in a bug report via Help->Feedback? This issue really sounds strange. The OW guys might be able to give you a hint on that if you send in logs.

[daiyi666@yahoo.com]

Quote:

Originally Posted by zottel

Did you send in a bug report via Help->Feedback? This issue really sounds strange. The OW guys might be able to give you a hint on that if you send in logs.

Guess I should do this. It seems to be a WebKit issue, but not everyone is experiencing it either. On the Apple boards there are similar issues posted, too.

[daiyi666@yahoo.com]

Finally found a solution. In case this is happening to others. Nice to have OW back full time.

http://discussions.apple.com/message...641899#3641899

[zottel]

I took a short look at this thread, and if I get it right, what's proposed there is turning off the validity checking for SSL certificates—which doesn't really sound like a good idea, IMHO. That means that your communication will still be encrypted, but you can't be sure that the site you are connected to is really the one it claims to be.

Ok, it's rather complicated to use this vulnerability for an attack. There'd be DNS spoofing involved, so the attacker would have to have access to a DNS server you use, or to the DNS server that holds the information about the spoofed-as site, or to your own /etc/hosts file. But it's a risk I wouldn't take, at least when online banking is involved.

What was the error you got when it didn't work? In the thread you linked to, someone said sth about a hostname mismatch—the certificate was issued for another hostname than the one he was actually connected to. I recently saw that the Apple Keychain shows this error even if there is only a case mismatch in the certificate—e.g. if the certificate was issued for www.MySpace.com, but the server identifies itself as www.myspace.com.

Wasn't there a thread here some time ago about OW turning all hostnames into lowercase to make URL spoofing harder? (Like using a capital i as an L—the host www.googie.com with the i capitalied—www.googIe.com—will look like www.google.com (GOOGLE, not GOOGIE) in most sansserif fonts.) Might that be the source of the problem?

[daiyi666@yahoo.com]

Quote:

Originally Posted by zottel

I took a short look at this thread, and if I get it right, what's proposed there is turning off the validity checking for SSL certificates—which doesn't really sound like a good idea, IMHO. That means that your communication will still be encrypted, but you can't be sure that the site you are connected to is really the one it claims to be.

Ok, it's rather complicated to use this vulnerability for an attack. There'd be DNS spoofing involved, so the attacker would have to have access to a DNS server you use, or to the DNS server that holds the information about the spoofed-as site, or to your own /etc/hosts file. But it's a risk I wouldn't take, at least when online banking is involved.

What was the error you got when it didn't work? In the thread you linked to, someone said sth about a hostname mismatch—the certificate was issued for another hostname than the one he was actually connected to. I recently saw that the Apple Keychain shows this error even if there is only a case mismatch in the certificate—e.g. if the certificate was issued for www.MySpace.com, but the server identifies itself as www.myspace.com.

Wasn't there a thread here some time ago about OW turning all hostnames into lowercase to make URL spoofing harder? (Like using a capital i as an L—the host www.googie.com with the i capitalied—www.googIe.com—will look like www.google.com (GOOGLE, not GOOGIE) in most sansserif fonts.) Might that be the source of the problem?

You raise many important concerns here--ones that I was wondering about myself. If I go to sites already bookmarked, however, won't that be safe? In other words, as long as I don't click on links provided elsewhere, it should be safe, no?

I would be interested in figuring out why this suddenly occurred. Others using Safari experienced the same problem. But thus far no OW users have posted here about the issue.

Thanks.