Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 04 Mar 2014 11:24:31 +0000
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request?: konqueror - https uses all ciphers,
 even weak ones

On 03/04/2014 11:12 AM, John Haxby wrote:
> 
> On 4 Mar 2014, at 11:01, Daniel Kahn Gillmor <dkg@...thhorseman.net> wrote:
> 
>> Here is another situation where konqueror successfully indicates a
>> "secure" connection to a server that has a known-insecure configuration:
>> point konqueror at: https://demo.cmrg.net/ -- you'll see a successful
>> connection, though that server only offers DHE over a
>> trivially-crackable 16-bit group.
> 
> I suspect that this problem is fairly wide-ranging.

Perhaps this needs more than one RFC, then?

>   Apple’s Safari also permits the link.

I consider this a flaw in Safari.  These connections are trivially
decryptable by any passive eavesdropper.  An active attacker can tamper
with the content of the session.

>  Google Chrome doesn’t permit the link though, it just crashes :)

On what platform?  Is this for any connection, or just for a primary
connection?  That is, can any web site can crash google chrome with <img
src="https://demo.cmrg.net/" /> ?

(sorry, i don't have either chrome or safari handy to test it myself
right now)

	--dkg


Download attachment "signature.asc" of type "application/pgp-signature" (1011 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.