Date: Sat, 7 Aug 2021 18:49:57 +0000 (UTC) From: Thorsten Glaser <tg@...bsd.de> To: Ariadne Conill <ariadne@...eferenced.org> cc: oss-security@...ts.openwall.com, Axel Beckert <abe@...ian.org>, lynx-dev@...gnu.org, security@...ian.org, 991971@...s.debian.org Subject: Re: [Lynx-dev] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Ariadne Conill dixit: > It turns out SNI is only marginally related to this issue. The issue > itself is far more severe: HTParse() does not understand the authn > part of the URI at all. Yes, of course. But without SNI, nothing would have been sent *in plaintext* at all. The certificate validation fails¹, the connection stops and the user is asked whether to continue. ① Tested on an OS without SNI in its libssl. > As a workaround, I taught HTParse() how to parse the authn part of URIs, but > Lynx itself needs to actually properly support the authn part really. > > I have attached the patch Alpine is using to work around this infoleak. Thanks! I recall having to work manually to strip the port from the hostname for SSL certificate validation, ages ago, but I had not tested with HTTP Auth sites back then. bye, //mirabilos -- Gestern Nacht ist mein IRC-Netzwerk explodiert. Ich hatte nicht damit gerechnet, darum bin ich blutverschmiert… wer konnte ahnen, daß SIE so reagier’n… gestern Nacht ist mein IRC-Netzwerk explodiert~~~ (as of 2021-06-15 The MirOS Project temporarily reconvenes on OFTC)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.