Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 04 Mar 2014 11:24:31 +0000
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request?: konqueror - https uses all ciphers,
 even weak ones

On 03/04/2014 11:12 AM, John Haxby wrote:
> 
> On 4 Mar 2014, at 11:01, Daniel Kahn Gillmor <dkg@...thhorseman.net> wrote:
> 
>> Here is another situation where konqueror successfully indicates a
>> "secure" connection to a server that has a known-insecure configuration:
>> point konqueror at: https://demo.cmrg.net/ -- you'll see a successful
>> connection, though that server only offers DHE over a
>> trivially-crackable 16-bit group.
> 
> I suspect that this problem is fairly wide-ranging.

Perhaps this needs more than one RFC, then?

>   Apple’s Safari also permits the link.

I consider this a flaw in Safari.  These connections are trivially
decryptable by any passive eavesdropper.  An active attacker can tamper
with the content of the session.

>  Google Chrome doesn’t permit the link though, it just crashes :)

On what platform?  Is this for any connection, or just for a primary
connection?  That is, can any web site can crash google chrome with <img
src="https://demo.cmrg.net/" /> ?

(sorry, i don't have either chrome or safari handy to test it myself
right now)

	--dkg


Download attachment "signature.asc" of type "application/pgp-signature" (1011 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ