Le mercredi 13 mars 2013 à 15:59 -0600, Vincent Danen a écrit : > * [2013-03-13 22:12:25 +0100] S?bastien Villemot wrote: > > >Le mercredi 13 mars 2013 à 11:58 -0600, Vincent Danen a écrit : > >> This issue was given the name CVE-2010-3312 quite a while ago. See > >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3312 for more info. > > > >I don???t think this is the same issue. The problem reported here is > >specifically about redirections, while CVE-2010-3312 (#564690 in Debian) > >was about *never* verifying SSL certs (and is now fixed). > > Well, the issue in our bugzilla is still not fixed in the latest Fedora > version and since the bug is about epiphany not validating certificates > in general. Are you sure it's fixed? If it's fixed in Debian but not > upstream, then this should probably be classified as a separate issue > (but from where I sit, we have 3.6.1 in Fedora 18 and it doesn't seem to > do anything right with regards to SSL certificates).
In Debian, with version 3.4.2, visiting a site with an invalid SSL certificate leads to the display of a broken-lock icon in the right hand-side of the address bar. This was considered as sufficient for Debian, see bug #603594 for more details on this. OTOH, when I visit the URL reported by the submitter, I get the (normal) lock icon, i.e. epiphany considers that the site is secure (even though the certificate common name does not match the hostname typed by the user). -- .''`. Sébastien Villemot : :' : Debian Developer `. `' http://www.dynare.org/sebastien `- GPG Key: 4096R/381A7594
signature.asc
Description: This is a digitally signed message part
