Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validatio

lynx-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validatio

From:	Thorsten Glaser
Subject:	Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)
Date:	Sat, 7 Aug 2021 18:49:57 +0000 (UTC)

Ariadne Conill dixit:

> It turns out SNI is only marginally related to this issue.  The issue
> itself is far more severe: HTParse() does not understand the authn
> part of the URI at all.

Yes, of course. But without SNI, nothing would have been sent *in
plaintext* at all. The certificate validation fails¹, the connection
stops and the user is asked whether to continue.

① Tested on an OS without SNI in its libssl.

> As a workaround, I taught HTParse() how to parse the authn part of URIs, but
> Lynx itself needs to actually properly support the authn part really.
>
> I have attached the patch Alpine is using to work around this infoleak.

Thanks!

I recall having to work manually to strip the port from the hostname
for SSL certificate validation, ages ago, but I had not tested with
HTTP Auth sites back then.

bye,
//mirabilos
-- 
Gestern Nacht ist mein IRC-Netzwerk explodiert. Ich hatte nicht damit
gerechnet, darum bin ich blutverschmiert… wer konnte ahnen, daß SIE so
reagier’n… gestern Nacht ist mein IRC-Netzwerk explodiert~~~
        (as of 2021-06-15 The MirOS Project temporarily reconvenes on OFTC)

[Prev in Thread]

Current Thread

[Next in Thread]

[Lynx-dev] bug in SSL certificate validation, Thorsten Glaser, 2021/08/06
- Re: [Lynx-dev] bug in SSL certificate validation, Axel Beckert, 2021/08/06
- Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Axel Beckert, 2021/08/06
  - Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Thorsten Glaser, 2021/08/06
    - [Lynx-dev] SNI is a security vulnerability all by itself (was Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)), Thorsten Glaser, 2021/08/06
    - Re: [Lynx-dev] SNI is a security vulnerability all by itself (was Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)), David Woolley, 2021/08/07
    - Re: [Lynx-dev] SNI is a security vulnerability all by itself (was Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)), Thorsten Glaser, 2021/08/07
    - Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Ariadne Conill, 2021/08/07
    - Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Thorsten Glaser <=
    - Re: [Lynx-dev] [oss-security] Re: Bug#991971: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Axel Beckert, 2021/08/07
    - Re: [Lynx-dev] [oss-security] Re: Bug#991971: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Ariadne Conill, 2021/08/07
    - Re: [Lynx-dev] [oss-security] Re: Bug#991971: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Axel Beckert, 2021/08/07
- Re: [Lynx-dev] bug in SSL certificate validation, Andreas Metzler, 2021/08/07