Date: Tue, 04 Mar 2014 11:24:31 +0000 From: Daniel Kahn Gillmor <dkg@...thhorseman.net> To: oss-security@...ts.openwall.com Subject: Re: CVE Request?: konqueror - https uses all ciphers, even weak ones On 03/04/2014 11:12 AM, John Haxby wrote: > > On 4 Mar 2014, at 11:01, Daniel Kahn Gillmor <dkg@...thhorseman.net> wrote: > >> Here is another situation where konqueror successfully indicates a >> "secure" connection to a server that has a known-insecure configuration: >> point konqueror at: https://demo.cmrg.net/ -- you'll see a successful >> connection, though that server only offers DHE over a >> trivially-crackable 16-bit group. > > I suspect that this problem is fairly wide-ranging. Perhaps this needs more than one RFC, then? > Apple’s Safari also permits the link. I consider this a flaw in Safari. These connections are trivially decryptable by any passive eavesdropper. An active attacker can tamper with the content of the session. > Google Chrome doesn’t permit the link though, it just crashes :) On what platform? Is this for any connection, or just for a primary connection? That is, can any web site can crash google chrome with <img src="https://demo.cmrg.net/" /> ? (sorry, i don't have either chrome or safari handy to test it myself right now) --dkg Download attachment "signature.asc" of type "application/pgp-signature" (1011 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.