[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev Patch for SSL warning
|
From: |
Stef Caunter |
|
Subject: |
Re: lynx-dev Patch for SSL warning |
|
Date: |
Tue, 19 Nov 2002 21:11:51 -0500 |
> Lynx was broken from a security point of view until a few months ago. It
> failed to authenticate the server.
>
Well this is like the cookie problem. I get:
SSL error:unable to get local issuer certificate-Continue? (y)
twice a request as I go about my business on a college server with a
self-signed cert. (lynx2.8.5dev9/netbsd1.5.2. Where is this coming from? I
have not seen this in lynx with openssl before, ever, in almost three years
of use.
> > +.h2 SSL_IGNORE_CERT_ERROR
> > +# Ignore errors from OpenSSL saying "unable to get local issuer
certificate
> You should include a warning that this makes Lynx vulnerable to man in the
> middle attacks and impostor sites.
>
And also mention that it allows you to use trusted sites' self-signed certs.
BTW, does lynx "store" certs it likes. This has not come up recently.
Can the cert nag be turned off in lynx.cfg? Is it a configure option?
> > +#
> > +#SSL_IGNORE_CERT_ERROR:TRUE
>
> NO NO NO NO. The default should be secure. Suppressing symptoms of
security
> problems is a very bad cure for those problems.
I acknowledge and do not minimize the fact that MITM and imposters are a
security problem. The default could mention this. However:
The thing is that the cert error can and often does comes from self-signed
certs from reasonably and probably known hosts, which just means that the
client is connecting to a known server which happens to not want to bother
with commercial CA certs. This is not a security problem, nor is it a
symptom of one. The connection is still encrypted. The parties are
reasonably certain of identity.
As long as there is that belief on the part of the client that they really
are connecting to the particular remote host with the self-signed cert the
cert error nag isn't doing anything we don't already know and frankly don't
care about since we're going ahead with the connection.
Have you heard about lynx overwriting lynx.cfg in dev9? It has done so on my
netbsd1.5.2 and 1.5.3 boxes.
Stef
Stefan Caunter
Mohawk College
Computer Science Department
>
> ; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden
>
; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden
- Re: lynx-dev dev.10 progress, (continued)
- Re: lynx-dev dev.10 progress, Thomas Dickey, 2002/11/24
- Re: lynx-dev dev.10 progress, Leonid Pauzner, 2002/11/25
- Re: lynx-dev dev.10 progress, Thomas E. Dickey, 2002/11/25
- Re: lynx-dev dev.10 progress, Leonid Pauzner, 2002/11/30
- Re: lynx-dev dev.10 progress, Thomas Dickey, 2002/11/30
Re: lynx-dev Patch for SSL warning, David Woolley, 2002/11/19
- Re: lynx-dev Patch for SSL warning,
Stef Caunter <=
- Re: lynx-dev Patch for SSL warning, Clemens Fischer, 2002/11/20
- Re: lynx-dev Patch for SSL warning, David Woolley, 2002/11/21
- Re: lynx-dev Patch for SSL warning, Clemens Fischer, 2002/11/21
- Re: lynx-dev Patch for SSL warning, Stef Caunter, 2002/11/21
- Re: lynx-dev Patch for SSL warning, Clemens Fischer, 2002/11/21
Re: lynx-dev Patch for SSL warning, Stef Caunter, 2002/11/21