Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 20 Apr 2023 15:44:08 -0700
From: Matthew Fernandez <>
Subject: Re: Perl's HTTP::Tiny has insecure TLS cert default,
 affecting and other modules

On 4/20/23 14:26, Steffen Nurpmeso wrote:
> Jeffrey Walton wrote in
>   <>:
>   |On Thu, Apr 20, 2023 at 9:05 AM Steffen Nurpmeso <> \
>   |wrote:
>   |I don't think HTTPS discriminates against servers with self-signed
>   |certificates. A user is free to limit trust to a single, self-signed
>   |certificate. The docs show the user how to do it.
> That seems very, very complicated for non-nerds.
> I fail to see user-enabled documentation for how to achieve this,
> but i am only using command line / console programs, it can be the
> desktop environments make this easy.

I hesitate to reply to this thread because I struggle to understand what 
topic it has diverged into, but I just wanted to note that embedded 
browsers configured to accept a single self-signed certificate are not 
uncommon in corporate environments. Thus a (non-technical) end user may 
be using a browser like this that has been configured for them by device 
management. Whether this is a good design/idea, I leave to others’ 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.