Bugtraq mailing list archives

Re: IE https certificate attack

From: Jim Knoble <jmknoble () pobox com>
Date: Mon, 7 Jan 2002 18:22:02 -0500

Circa 2002-Jan-06 10:04:23 +0100 dixit Helmut Springer:

: On 03 Jan 2002 at 15:04 +0100, K.J.Mueller () EnBW com wrote:
: > - w3m 0.1.11-pre
: 
: Curent is w3m-0.2.3.2 and ssl_verify_server was added 2000.4.21.

Yes, but as of w3m-0.2.4, SSL server verification is disabled at
compile-time by default.  It's necessary to explicitly enable it,
either by using the interactive mode of the configure script, or by
#defining USE_SSL_VERIFY in config.h after a non-interactive configure
ande before compiling.

You can check whether your w3m has SSL server verification enabled
using:

  w3m -version

If "ssl-verify" appears in the version output, then w3m has SSL server
verification enabled.

And even if SSL server verification is enabled, it's not turned on by
default.  You can turn it on via w3m's options screen (press 'o'
[lowercase letter Oh]).

-- 
jim knoble | jmknoble () pobox com   | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)

Attachment: _bin
Description:

Current thread:

AW: IE https certificate attack K . J . Mueller (Jan 05)
- Re: AW: IE https certificate attack Florian Weimer (Jan 07)
- Re: IE https certificate attack Helmut Springer (Jan 07)
  - Re: IE https certificate attack Jim Knoble (Jan 08)
- Re: AW: IE https certificate attack Ben Laurie (Jan 07)
- Re: AW: IE https certificate attack George Staikos (Jan 07)