oss-sec mailing list archives
Re: CVE Request?: konqueror - https uses all ciphers, even weak ones
From: John Haxby <john.haxby () oracle com>
Date: Tue, 4 Mar 2014 12:28:21 +0000
On 4 Mar 2014, at 11:24, Daniel Kahn Gillmor <dkg () fifthhorseman net> wrote:
Google Chrome doesn’t permit the link though, it just crashes :)On what platform? Is this for any connection, or just for a primary connection? That is, can any web site can crash google chrome with <img src="https://demo.cmrg.net/"; /> ? (sorry, i don't have either chrome or safari handy to test it myself right now)
Chrome crashes on both Linux and Mavericks. openssl s_client doesn’t report problems, but I wouldn’t expect it to. wget just downloads index.html without any issue. Firefox, elinks, midori and curl all refuse one way or another. I didn’t test any more. Apart from chrome, those are all on Fedora 20. I agree that the connections being so trivially decryptable represents a flaw that should be fixed. jch
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- CVE Request?: konqueror - https uses all ciphers, even weak ones Marcus Meissner (Feb 27)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Tim Brown (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Kurt Seifried (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones cve-assign (Mar 03)
- Re: Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones John Haxby (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones John Haxby (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Jann Horn (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Felix Eckhofer (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Moritz Naumann (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Kurt Seifried (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Tim Brown (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Hanno Böck (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Kurt Seifried (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones cve-assign (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 13)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones cve-assign (Mar 13)