oss-sec mailing list archives
Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)
From: Thorsten Glaser <tg () mirbsd de>
Date: Sat, 7 Aug 2021 03:58:07 +0000 (UTC)
Hi XTaran,
I *ALWAYS* SAID SNI IS A SHIT THING […]Don't blame the messenger. ;-)
Not blaming you in the slightest, rather the contrary, thanks for vindicating me ☻☺
Other browsers also need checking.Good idea.
[…]
I didn't find any such issue in any of these tools. All cases verified via Wireshark's "follow TCP stream" against an Apache 2.4.48 (from Debian Unstable as well). But yeah, there are probably many more to check. But so far it looks like a lynx-specific issue.
Good to know.
Thanks for the detective work,You're welcome. Thanks for stumbling over this issue and triggering my digging. :-)
Heh, I know the feeling. *adds more mksh commits because a user is porting it to another weird hobbyist OS…* bye, //mirabilos -- „Cool, /usr/share/doc/mksh/examples/uhr.gz ist ja ein Grund, mksh auf jedem System zu installieren.“ -- XTaran auf der OpenRheinRuhr, ganz begeistert (EN: “[…]uhr.gz is a reason to install mksh on every system.”)
Current thread:
- Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 06)
- Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)
- Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
- Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)
- Re: Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Stuart Henderson (Aug 07)
- SNI is a security vulnerability all by itself (was Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)) Thorsten Glaser (Aug 07)
- Re: Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Ariadne Conill (Aug 07)
- Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)
- Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
- Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Ariadne Conill (Aug 07)
- Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
- Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
- Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)