Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 4 Mar 2014 12:28:21 +0000
From: John Haxby <john.haxby@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request?: konqueror - https uses all ciphers, even weak ones


On 4 Mar 2014, at 11:24, Daniel Kahn Gillmor <dkg@...thhorseman.net> wrote:

>> Google Chrome doesn’t permit the link though, it just crashes :)
> 
> On what platform?  Is this for any connection, or just for a primary
> connection?  That is, can any web site can crash google chrome with <img
> src="https://demo.cmrg.net/" /> ?
> 
> (sorry, i don't have either chrome or safari handy to test it myself
> right now)

Chrome crashes on both Linux and Mavericks.

openssl s_client doesn’t report problems, but I wouldn’t expect it to.

wget just downloads index.html without any issue.

Firefox, elinks, midori and curl all refuse one way or another.

I didn’t test any more.  Apart from chrome, those are all on Fedora 20.

I agree that the connections being so trivially decryptable represents a flaw that should be fixed.

jch

Download attachment "signature.asc" of type "application/pgp-signature" (236 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.