Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 7 Aug 2021 18:49:57 +0000 (UTC)
From: Thorsten Glaser <>
To: Ariadne Conill <>
cc:, Axel Beckert <>,,,
Subject: Re: [Lynx-dev] Re: bug in Lynx' SSL certificate
 validation -> leaks password in clear text via SNI (under some circumstances)

Ariadne Conill dixit:

> It turns out SNI is only marginally related to this issue.  The issue
> itself is far more severe: HTParse() does not understand the authn
> part of the URI at all.

Yes, of course. But without SNI, nothing would have been sent *in
plaintext* at all. The certificate validation fails¹, the connection
stops and the user is asked whether to continue.

① Tested on an OS without SNI in its libssl.

> As a workaround, I taught HTParse() how to parse the authn part of URIs, but
> Lynx itself needs to actually properly support the authn part really.
> I have attached the patch Alpine is using to work around this infoleak.


I recall having to work manually to strip the port from the hostname
for SSL certificate validation, ages ago, but I had not tested with
HTTP Auth sites back then.

Gestern Nacht ist mein IRC-Netzwerk explodiert. Ich hatte nicht damit
gerechnet, darum bin ich blutverschmiert… wer konnte ahnen, daß SIE so
reagier’n… gestern Nacht ist mein IRC-Netzwerk explodiert~~~
	(as of 2021-06-15 The MirOS Project temporarily reconvenes on OFTC)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.