Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 7 Aug 2021 23:53:18 +0200
From: Axel Beckert <abe@...ian.org>
To: Ariadne Conill <ariadne@...eferenced.org>
Cc: Salvatore Bonaccorso <carnil@...ian.org>,
	oss-security@...ts.openwall.com, lynx-dev@...gnu.org
Subject: Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL
 certificate validation -> leaks password in clear text via SNI (under some
 circumstances)

Hi Ariadne,

[Dropping the Debian-specific recipients as this is no more related to
the maintenance of Debian's lynx package.]

Ariadne Conill wrote:
> > Citing from Ariadne's mail:
> > > The issue itself is far more severe: HTParse() does not understand
> > > the authn part of the URI at all.
> > […]
> > > But it will also leak in the Host: header on unencrypted
> > > connections, and also probably SSL ones too.
> > 
> > But that looks to me as if Ariadne just refers to the code and hasn't
> > actually checked it by trying it. Nevertheless thanks to Ariadne for
> > having had a look and proposing a patch!
> 
> Yes, this was my guess since HTParse() doesn't understand the authn part.
> But this seems like a rather unfortunate design: parse the URI wrong, and
> then "fix" it later?  Why not just parse the URI right, to begin with?

I agree that it looks a bit unconventional and unintuitive. But I
assume this is because Lynx is actually older than the WWW. According
to Wikipedia[1], Lynx "is oldest web browser still being maintained,
having started in 1992". It was initially written for another
hypertext protocol (something university-internal and gopher-ish
according to Wikipedia -- English and German Wikipedia tell slightly
different stories here).

So it has quite some amount of history in its code and probably
especially in its code structure. And compared to those nearly 30
years, the Host header probably came in only after 5 years of
developement with HTTP/1.1 in 1997 or so. (And SNI much, much later,
kinda "just recently".) So I kinda have some understanding for this
unintuitive locations as most of the code is historically grown.

Then again, big kudos to Thomas Dickey for still maintaining and
developing Lynx. It can't be that easy to maintain a niche program
with a code base which such a long history.

[1] https://en.wikipedia.org/wiki/Lynx_(web_browser)

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@...ian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.