oss-sec mailing list archives
Re: Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)
From: Stuart Henderson <stu () spacehopper org>
Date: Sat, 7 Aug 2021 13:53:28 +0100
On 2021/08/07 04:49, Axel Beckert wrote:
Hi Thorsten, I'm dropping the lynx-specific recipients, i.e. lynx-dev and the bug report… Thorsten Glaser wrote:Axel Beckert dixit:This is more severe than it initially looked like: Due to TLS Server Name Indication (SNI) the hostname as parsed by Lynx (i.e with "user:pass@" included) is sent in _clear_ text over the wire evenI *ALWAYS* SAID SNI IS A SHIT THING […]Don't blame the messenger. ;-)Other browsers also need checking.Good idea. I just checked in Debian Unstable those tools I'd mostly expect with such URLs and commandline usage: * Axel (sic! :-) 2.17.10-2 * ELinks 0.13.2-1+b1 * LibWWW-Perl (aka LWP) 6.53-1 via /usr/bin/GET * Links/Links2 2.21-1+b1 * Wget (1.21-1+b1) * Wget2 (1.99.1-2.2)
I've checked w3m 0.5.3+git20210102, curl 7.78.0, lftp 4.9.2 and OpenBSD's ftp, those are okay too.
Current thread:
- Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 06)
- Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)
- Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
- Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)
- Re: Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Stuart Henderson (Aug 07)
- SNI is a security vulnerability all by itself (was Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)) Thorsten Glaser (Aug 07)
- Re: Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Ariadne Conill (Aug 07)
- Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)
- Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
- Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Ariadne Conill (Aug 07)
- Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
- Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
- Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)