Re: [Lynx-dev] SNI is a security vulnerability all by itself (was Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances))

[Thorsten Glaser]

Andreas Metzler dixit:

>what do you refer to with "nonGNUtls build"?

Precisely these, ever since https://lwn.net/Articles/529558/ and
the ensuing fight in the GNU project. It’s not “GNU” TLS any more.


David Woolley dixit:

> Actually I consider certificates that authenticate anything except the 
> specific web site to be a security liability in themselves.  Whilst I'd 

Right, use IPv6 to differentiate those instead.

> that sending the login details is a bug in Lynx, and not in the SNI 

Yes, but one that can easily happen by accident. SNI sends things in
plaintext, which is the worse bug.

> I'd also suspect that the sorts of sites people might not want to be 
> associated with are either clustered on the same physical server, or 

Right, use IPv6 to differentiate those instead.

All other vhost scenarios can be handled with wildcard and/or
multi-subjectAltName certificates.

bye,
//mirabilos
-- 
Gestern Nacht ist mein IRC-Netzwerk explodiert. Ich hatte nicht damit
gerechnet, darum bin ich blutverschmiert… wer konnte ahnen, daß SIE so
reagier’n… gestern Nacht ist mein IRC-Netzwerk explodiert~~~
        (as of 2021-06-15 The MirOS Project temporarily reconvenes on OFTC)