Package: libapache2-mod-authn-yubikey Version: 1.0-5 While inspecting the source of this package, I found that it seems to send a user's client ID and password to a remote web site via a http: link, which means it would be sent unencrypted. The suspect function is yubikey_client_request() in authn_yubikey/libykclient.c The URL template is:
http://api.yubico.com/wsapi/verify?id=%d&otp=%s where the id= is set to client_id and otp= is set to "password" in authn_check_otp(). Note that I'm not familiar with the package, I don't use it, I barely understand what it's trying to do, and I didn't verify these results at run time. However, the host in question (api.yubico.com) has a valid TLS certificate so there seems to be no reason to apply this patch: +++ sources/authn_yubikey/libykclient.c.orig 2008-08-30 09:03:24.000000000 -0700 --- sources/authn_yubikey/libykclient.c 2026-05-19 17:12:44.010781689 -0700 @@ -201,7 +201,7 @@ const char *yubikey) { struct MemoryStruct chunk = { NULL, 0 }; - const char *url_template = "http://api.yubico.com/wsapi/verify?id=%d&otp=%s";; + const char *url_template = "https://api.yubico.com/wsapi/verify?id=%d&otp=%s";; char *url; char *user_agent = NULL; char *status; Whether the existing package has been exposing users' passwords in cleartext since 2011 and the impact that may have had, I'll leave to the maintainer to determine. Dan
