Bug#510417: links2: silently accepts bad SSL certificates
Hello It's true that links doesn't visually noticed the user in such case. I see the following solutions: 1 Disable https support 2 Notify the user about this behaviour in README.Debian 3 Somehow notify the user (I think I talked to Karel about this problem, when I got the report but he didn't give any signs to get this fixed). So if nobody sends a patch, it won't get fixed Yours Guerkan -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#510417: links2: silently accepts bad SSL certificates
Processing commands for cont...@bugs.debian.org: > found 510417 2.1pre26-4 Bug#510417: links2: silently accepts bad SSL certificates Bug marked as found in version 2.1pre26-4. > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#510417: links2: silently accepts bad SSL certificates
Adeodato Simó writes: > * Neil Moore [Thu, 01 Jan 2009 11:57:35 -0500]: > > > Package: links2 > > Version: 2.2-1 > > Severity: grave > > Tags: security > > Justification: user security hole > > Hello, Neil. I’m sorry I’m not mailing you to help solve this bug, since > I’m not the maintainer of links2. > > I do release management in Debian, and I’m interested in knowing whether > this bug affects 2.1pre37-1.1, which is currently in stable (and testing). > Do you know if that is the case? Could you perhaps check? The bug is present in 2.1pre37-1.1, as well as in 2.1pre26-4 (the version in oldstable). The site I am using to test is internal, and will soon have a real certificate, hence my reluctance to post its URL. One can test for at least part of the problem with: https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/ (the URL from the dillo bug #510348). This site has an (intentionally) expired certificate, and is signed with a fake (collided) MD5-hashed CA cert, though it does have a correct hostname. Depending on the version of OpenSSL and the CA certs list, it should report either an expired cert or a bad signature. Hope this helps, -- Neil Moore, n...@s-z.org, http://s-z.org/neil/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#510417: links2: silently accepts bad SSL certificates
* Neil Moore [Thu, 01 Jan 2009 11:57:35 -0500]: > Package: links2 > Version: 2.2-1 > Severity: grave > Tags: security > Justification: user security hole Hello, Neil. I’m sorry I’m not mailing you to help solve this bug, since I’m not the maintainer of links2. I do release management in Debian, and I’m interested in knowing whether this bug affects 2.1pre37-1.1, which is currently in stable (and testing). Do you know if that is the case? Could you perhaps check? Thanks, > Links2 does not validate certificates it receives; as a result, there is > no warning that one is visiting a page with an expired certificate, a > certificate not signed by a trusted authority, or a certificate for the > wrong hostname. As a result, an attacker capable of intercepting one's > packets can launch a man-in-the-middle attack to obtain account numbers, > passwords, etc. > At the very least, the documentation should prominently warn that > links2's HTTPS support is not to be relied upon for sensitive > information. > This is the same issue reported in bug 510348 for the (unrelated) browser > 'dillo'. > -- System Information: > Debian Release: 5.0 > APT prefers unstable > APT policy: (500, 'unstable'), (1, 'experimental') > Architecture: i386 (i686) > Kernel: Linux 2.6.26-1-openvz-686 (SMP w/1 CPU core) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/bash > Versions of packages links2 depends on: > ii libc6 2.7-16GNU C Library: Shared libraries > ii libdirectfb-1.0-0 1.0.1-11 direct frame buffer graphics - > sha > ii libgpm21.20.4-3.1General Purpose Mouse - shared > lib > ii libjpeg62 6b-14 The Independent JPEG Group's > JPEG > ii libpng12-0 1.2.27-2 PNG library - runtime > ii libssl0.9.80.9.8g-14 SSL shared libraries > ii libsvga1 1:1.4.3-27console SVGA display libraries > ii libtiff4 3.8.2-11 Tag Image File Format (TIFF) > libra > ii libx11-6 2:1.1.5-2 X11 client-side library > ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime > links2 recommends no packages. > links2 suggests no packages. > -- no debconf information -- - Are you sure we're good? - Always. -- Rory and Lorelai -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#510417: links2: silently accepts bad SSL certificates
Package: links2 Version: 2.2-1 Severity: grave Tags: security Justification: user security hole Links2 does not validate certificates it receives; as a result, there is no warning that one is visiting a page with an expired certificate, a certificate not signed by a trusted authority, or a certificate for the wrong hostname. As a result, an attacker capable of intercepting one's packets can launch a man-in-the-middle attack to obtain account numbers, passwords, etc. At the very least, the documentation should prominently warn that links2's HTTPS support is not to be relied upon for sensitive information. This is the same issue reported in bug 510348 for the (unrelated) browser 'dillo'. -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-openvz-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages links2 depends on: ii libc6 2.7-16GNU C Library: Shared libraries ii libdirectfb-1.0-0 1.0.1-11 direct frame buffer graphics - sha ii libgpm21.20.4-3.1General Purpose Mouse - shared lib ii libjpeg62 6b-14 The Independent JPEG Group's JPEG ii libpng12-0 1.2.27-2 PNG library - runtime ii libssl0.9.80.9.8g-14 SSL shared libraries ii libsvga1 1:1.4.3-27console SVGA display libraries ii libtiff4 3.8.2-11 Tag Image File Format (TIFF) libra ii libx11-6 2:1.1.5-2 X11 client-side library ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime links2 recommends no packages. links2 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org