[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Lynx-dev] [oss-security] Re: Bug#991971: bug in Lynx' SSL certifica
From: |
Axel Beckert |
Subject: |
Re: [Lynx-dev] [oss-security] Re: Bug#991971: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) |
Date: |
Sat, 7 Aug 2021 23:53:18 +0200 |
User-agent: |
NeoMutt/20170113 (1.7.2) |
Hi Ariadne,
[Dropping the Debian-specific recipients as this is no more related to
the maintenance of Debian's lynx package.]
Ariadne Conill wrote:
> > Citing from Ariadne's mail:
> > > The issue itself is far more severe: HTParse() does not understand
> > > the authn part of the URI at all.
> > […]
> > > But it will also leak in the Host: header on unencrypted
> > > connections, and also probably SSL ones too.
> >
> > But that looks to me as if Ariadne just refers to the code and hasn't
> > actually checked it by trying it. Nevertheless thanks to Ariadne for
> > having had a look and proposing a patch!
>
> Yes, this was my guess since HTParse() doesn't understand the authn part.
> But this seems like a rather unfortunate design: parse the URI wrong, and
> then "fix" it later? Why not just parse the URI right, to begin with?
I agree that it looks a bit unconventional and unintuitive. But I
assume this is because Lynx is actually older than the WWW. According
to Wikipedia[1], Lynx "is oldest web browser still being maintained,
having started in 1992". It was initially written for another
hypertext protocol (something university-internal and gopher-ish
according to Wikipedia -- English and German Wikipedia tell slightly
different stories here).
So it has quite some amount of history in its code and probably
especially in its code structure. And compared to those nearly 30
years, the Host header probably came in only after 5 years of
developement with HTTP/1.1 in 1997 or so. (And SNI much, much later,
kinda "just recently".) So I kinda have some understanding for this
unintuitive locations as most of the code is historically grown.
Then again, big kudos to Thomas Dickey for still maintaining and
developing Lynx. It can't be that easy to maintain a niche program
with a code base which such a long history.
[1] https://en.wikipedia.org/wiki/Lynx_(web_browser)
Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
- Re: [Lynx-dev] bug in SSL certificate validation, (continued)
- Re: [Lynx-dev] bug in SSL certificate validation, Axel Beckert, 2021/08/06
- Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Axel Beckert, 2021/08/06
- Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Ariadne Conill, 2021/08/07
- Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Thorsten Glaser, 2021/08/07
- Re: [Lynx-dev] [oss-security] Re: Bug#991971: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Axel Beckert, 2021/08/07
- Re: [Lynx-dev] [oss-security] Re: Bug#991971: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Ariadne Conill, 2021/08/07
- Re: [Lynx-dev] [oss-security] Re: Bug#991971: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances),
Axel Beckert <=
Re: [Lynx-dev] bug in SSL certificate validation, Andreas Metzler, 2021/08/07