* [2013-03-13 23:10:41 +0100] S?bastien Villemot wrote:
Le mercredi 13 mars 2013 à 15:59 -0600, Vincent Danen a écrit :
* [2013-03-13 22:12:25 +0100] S?bastien Villemot wrote:
>Le mercredi 13 mars 2013 à 11:58 -0600, Vincent Danen a écrit :
>> This issue was given the name CVE-2010-3312 quite a while ago. See
>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3312 for more info.
>
>I don???t think this is the same issue. The problem reported here is
>specifically about redirections, while CVE-2010-3312 (#564690 in Debian)
>was about *never* verifying SSL certs (and is now fixed).
Well, the issue in our bugzilla is still not fixed in the latest Fedora
version and since the bug is about epiphany not validating certificates
in general. Are you sure it's fixed? If it's fixed in Debian but not
upstream, then this should probably be classified as a separate issue
(but from where I sit, we have 3.6.1 in Fedora 18 and it doesn't seem to
do anything right with regards to SSL certificates).
In Debian, with version 3.4.2, visiting a site with an invalid SSL
certificate leads to the display of a broken-lock icon in the right
hand-side of the address bar. This was considered as sufficient for
Debian, see bug #603594 for more details on this.
OTOH, when I visit the URL reported by the submitter, I get the (normal)
lock icon, i.e. epiphany considers that the site is secure (even though
the certificate common name does not match the hostname typed by the
user).
Ahh, ok, understood.
Yeah, this might be a different problem although when I looked at the
examples you have, it was an actual redirect, so despite the user typing
one thing and then there being a redirect, the URL in the browser
matches the certificate.
I don't think I would consider that a security flaw. Google Chrome
doesn't think so either. For instance, I added a PHP script to redirect
from one valid HTTPS site to a completely different HTTPS site (using
the header() function) and Chrome still gives me the green padlock,
despite me typing one thing and ending up somewhere completely
different.
I wouldn't consider this a security flaw. This is just how it works.
FWIW, Firefox acts the same way. Visit
https://annvix.com/images/redirect.php and it will take you to github,
both HTTPS, no complaints.
--
Vincent Danen / Red Hat Security Response Team
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
