Your message dated Fri, 10 Mar 2017 16:12:06 +0100
with message-id <20170310151206.ga6...@inutil.org>
and subject line Re: elinks: doesn't perform server certificate verification
has caused the Debian Bug report #857365,
regarding elinks: doesn't perform server certificate verification
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
857365: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857365
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: elinks
Version: 0.12~pre6-12
Severity: critical
I found out that Elinks doesn't verify server certificate when
connecting to HTTPS websites. This behavior doesn't comply with section
3.2 of IETF RFC5280: Certification Paths and Trust.
To protect users against malicious websites using fake certificates and
potential man-in-the-middle attacks, certificate verification has to be
enabled by default.
Elinks note about 'extensive configuration' in the SSL section of Option
Manager doesn't make sense. Most distribution has included 'CA Bundle'
package, which is used as certificate trust anchor, so there isn't need
for end users to configure anything.
Elinks should notify users when certificate presented by the server
cannot be validated and let the users choose whether to continue to the
site or to abort viewing the site.
Steps to reproduce this potential security bug.
1. Create a self signed certificate.
$ openssl genrsa -out ./privkey.pem 2048
$ openssl req -new -sha256 -days 1 -subj '/CN=localhost' -x509 -key
./privkey.pem -out cert.crt
2. Serve a test page for the self signed certificate.
$ openssl s_server -key ./privkey.pem -cert ./cert.crt -HTTP -www
Openssl test server will listen on 0.0.0.0:4433, accepting HTTP
requests.
3. Open another terminal and use Elinks to connect to the test server.
$ elinks https://localhost:4433/
4. Elinks will happily connect to the test server without notifying
users about invalid or self signed certificate. Refer to the behavior of
another browsers when connecting to the test server as comparison.
Links2 behavior is more user friendly, notifying user about invalid
certificate and let user decide whether to connect to the site or not.
This problem should be addressed as soon as possible to protect Elinks
users from potential mitm attacks.
--- End Message ---
--- Begin Message ---
You already filed that as 856852, closing.
--- End Message ---
