Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 7 Aug 2021 23:53:18 +0200
From: Axel Beckert <>
To: Ariadne Conill <>
Cc: Salvatore Bonaccorso <>,,
Subject: Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL
 certificate validation -> leaks password in clear text via SNI (under some

Hi Ariadne,

[Dropping the Debian-specific recipients as this is no more related to
the maintenance of Debian's lynx package.]

Ariadne Conill wrote:
> > Citing from Ariadne's mail:
> > > The issue itself is far more severe: HTParse() does not understand
> > > the authn part of the URI at all.
> > […]
> > > But it will also leak in the Host: header on unencrypted
> > > connections, and also probably SSL ones too.
> > 
> > But that looks to me as if Ariadne just refers to the code and hasn't
> > actually checked it by trying it. Nevertheless thanks to Ariadne for
> > having had a look and proposing a patch!
> Yes, this was my guess since HTParse() doesn't understand the authn part.
> But this seems like a rather unfortunate design: parse the URI wrong, and
> then "fix" it later?  Why not just parse the URI right, to begin with?

I agree that it looks a bit unconventional and unintuitive. But I
assume this is because Lynx is actually older than the WWW. According
to Wikipedia[1], Lynx "is oldest web browser still being maintained,
having started in 1992". It was initially written for another
hypertext protocol (something university-internal and gopher-ish
according to Wikipedia -- English and German Wikipedia tell slightly
different stories here).

So it has quite some amount of history in its code and probably
especially in its code structure. And compared to those nearly 30
years, the Host header probably came in only after 5 years of
developement with HTTP/1.1 in 1997 or so. (And SNI much, much later,
kinda "just recently".) So I kinda have some understanding for this
unintuitive locations as most of the code is historically grown.

Then again, big kudos to Thomas Dickey for still maintaining and
developing Lynx. It can't be that easy to maintain a niche program
with a code base which such a long history.


		Regards, Axel
 ,''`.  |  Axel Beckert <>,
: :' :  |  Debian Developer, Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.