Package: elinks Version: 0.12~pre6-12 Severity: critical I found out that Elinks doesn't verify server certificate when connecting to HTTPS websites. This behavior doesn't comply with section 3.2 of IETF RFC5280: Certification Paths and Trust.
To protect users against malicious websites using fake certificates and potential man-in-the-middle attacks, certificate verification has to be enabled by default. Elinks note about 'extensive configuration' in the SSL section of Option Manager doesn't make sense. Most distribution has included 'CA Bundle' package, which is used as certificate trust anchor, so there isn't need for end users to configure anything. Elinks should notify users when certificate presented by the server cannot be validated and let the users choose whether to continue to the site or to abort viewing the site. Steps to reproduce this potential security bug. 1. Create a self signed certificate. $ openssl genrsa -out ./privkey.pem 2048 $ openssl req -new -sha256 -days 1 -subj '/CN=localhost' -x509 -key ./privkey.pem -out cert.crt 2. Serve a test page for the self signed certificate. $ openssl s_server -key ./privkey.pem -cert ./cert.crt -HTTP -www Openssl test server will listen on 0.0.0.0:4433, accepting HTTP requests. 3. Open another terminal and use Elinks to connect to the test server. $ elinks https://localhost:4433/ 4. Elinks will happily connect to the test server without notifying users about invalid or self signed certificate. Refer to the behavior of another browsers when connecting to the test server as comparison. Links2 behavior is more user friendly, notifying user about invalid certificate and let user decide whether to connect to the site or not. This problem should be addressed as soon as possible to protect Elinks users from potential mitm attacks.
