Debian Bug report logs - #694658
SSL certificate handling should be documented better

version graph

Package: links2; Maintainer for links2 is Axel Beckert <abe@debian.org>; Source for links2 is src:links2.

Reported by: ll lavander <lavander.sys@hotmail.com>

Date: Wed, 28 Nov 2012 18:54:02 UTC

Severity: important

Tags: security

Found in version links2/2.3~pre1-1+squeeze1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Axel Beckert <abe@debian.org>:
Bug#694658; Package links2. (Wed, 28 Nov 2012 18:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to ll lavander <lavander.sys@hotmail.com>:
New Bug report received and forwarded. Copy sent to Axel Beckert <abe@debian.org>. (Wed, 28 Nov 2012 18:54:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: ll lavander <lavander.sys@hotmail.com>
To: <submit@bugs.debian.org>
Subject: links2: still silently accepts bad SSL certificates
Date: Wed, 28 Nov 2012 18:50:31 +0000
[Message part 1 (text/plain, inline)]




Package: links2
Version: 2.3~pre1-1+squeeze1
Severity: grave
Tags: security
Justification: user security hole This is in response to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510417>Links2 does not validate certificates it receives; as a result, there is
>no warning that one is visiting a page with an expired certificate, a
>certificate not signed by a trusted authority, or a certificate for the
>wrong hostname.  As a result, an attacker capable of intercepting one's
>packets can launch a man-in-the-middle attack to obtain account numbers,
>passwords, etc.

>At the very least, the documentation should prominently warn that
>links2's HTTPS support is not to be relied upon for sensitive
>information.
verify-ssl-certs-510417.diff does not fix this problem. The self-signed exception renders the validation of certificates worse than useless (e.g. mitm-proxy) because it provides a false sense of security. I suggest dropping the patchand warning the user that HTTPS support offers no security whatsoever.  		 	   		  
[Message part 2 (text/html, inline)]

Severity set to 'important' from 'grave' Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Wed, 28 Nov 2012 21:15:06 GMT) Full text and rfc822 format available.

Changed Bug title to 'SSL certificate handling should be documented better' from 'links2: still silently accepts bad SSL certificates' Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Wed, 28 Nov 2012 21:21:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 19:52:41 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.