Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 7 Aug 2021 02:14:12 +0000 (UTC)
From: Thorsten Glaser <tg@...bsd.de>
To: Axel Beckert <abe@...ian.org>
cc: lynx-dev@...gnu.org, oss-security@...ts.openwall.com, security@...ian.org,
        991971@...s.debian.org
Subject: Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks
 password in clear text via SNI (under some circumstances)

Axel Beckert dixit:

>This is more severe than it initially looked like: Due to TLS Server
>Name Indication (SNI) the hostname as parsed by Lynx (i.e with
>"user:pass@" included) is sent in _clear_ text over the wire even

I *ALWAYS* SAID SNI IS A SHIT THING ONLY USED AS BAD EXCUSE FOR NAT
BY PEOPLE WHO ARE TOO STUPID TO CONFIGURE THEIR SERVERS RIGHT AND AS
BAD EXCUSE FOR LACKING IPv6 SUPPORT, AND THEN THE FUCKING IDIOTS WENT
AND MADE SNI *MANDATORY* FOR TLSv1.3, AND I FEEL *SO* VINDICATED RIGHT
NOW! IDIOTS IN CHARGE OF SECURITY, FUCKING IDIOTS…

>But given that the symptoms Thorsten discovered stayed unreported for
>quite some years, I assume that this use case is a rather seldom one.

Nah, SNI is a rather recent thing. But…

>IMHO this nevertheless needs a CVE-ID.

… it probably does. Other browsers also need checking.

Thanks for the detective work,
//mirabilos
-- 
<diogenese> Beware of ritual lest you forget the meaning behind it.
<igli> yeah but it means if you really care about something, don't
    ritualise it, or you will lose it. don't fetishise it, don't
    obsess. or you'll forget why you love it in the first place.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.