Package: links2 Version: 2.3~pre1-1+squeeze1 Severity: grave Tags: security Justification: user security hole This is in response to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510417>Links2 does not validate certificates it receives; as a result, there is >no warning that one is visiting a page with an expired certificate, a >certificate not signed by a trusted authority, or a certificate for the >wrong hostname. As a result, an attacker capable of intercepting one's >packets can launch a man-in-the-middle attack to obtain account numbers, >passwords, etc. >At the very least, the documentation should prominently warn that >links2's HTTPS support is not to be relied upon for sensitive >information. verify-ssl-certs-510417.diff does not fix this problem. The self-signed exception renders the validation of certificates worse than useless (e.g. mitm-proxy) because it provides a false sense of security. I suggest dropping the patchand warning the user that HTTPS support offers no security whatsoever.
