oss-sec mailing list archives
Re: CVE Request?: konqueror - https uses all ciphers, even weak ones
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 04 Mar 2014 13:44:20 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/04/2014 04:12 AM, John Haxby wrote:
On 4 Mar 2014, at 11:01, Daniel Kahn Gillmor <dkg () fifthhorseman net> wrote:Here is another situation where konqueror successfully indicates a "secure" connection to a server that has a known-insecure configuration: point konqueror at: https://demo.cmrg.net/ -- you'll see a successful connection, though that server only offers DHE over a trivially-crackable 16-bit group.I suspect that this problem is fairly wide-ranging. Apple’s Safari also permits the link. Google Chrome doesn’t permit the link though, it just crashes :) jch
Confirmed on Google Chrome in Linux (33.0.1750.117 and 33.0.1750.146), Windows (33.0.1750.146 m) and Mac OS X (33.0.1750.146). Firefox actually handles it really nicely, clear description in the error page and refuses to let you connect because it's to weak. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTFjskAAoJEBYNRVNeJnmThWwP/2joiR0gJRzr9IGN7g4JtZHc yi0LmwScsKE87s5Tr+eq4zC8R1Xp0IpgtNnN7aymnlJO/nuiLGi9tkG0m30pEfqr U/NhyguYVM9+DJKHqwJmQZnrS+mbERemEUteviGA16gi93MY6q9B275/Ny3Cmc4+ JzFTBvUdLnpWm40chL7BWYDUCVKg3tzR4IXW610OY+qtqhoAHtN9cAwW7u8yNMCo CXfMPvlcbsErE5t4cGuRX7BmPuznJol1YE+lenOUgXLsbTuvZs65WaJx5WaT8m+1 2NLhN6jb04PDX6Oge1hLwAaFKVO7cRvfjohv3iyuxvxX0VSWUZhGi0B2FjYQdLbb u3MFruqgXAh84HRuQZBbf3zD8m7V8joyf5NmJlGOiSH6UyYxa5xYZIzDVClkENV1 unTbTpsjtX7SnR1zMGSmBscYHvx5KMcIkcjb4GIzXaJfm3Wj4Wnb5DPGZ7Vqo4WT 10ejwoW5gGI6PsLSG+QKGDVSWvvfPs7r6AfktWe7MvnnoUa0/FWUFTLGzDvzoRN4 //dzTb6BlOlm6pjv7B61MvtumNsoRbrn1BZ3uCv2DjXByANc40Vm2VbQl125a3lA Tl2O6zSEMuMHQAw8OXxGL78VTiGqLnGuk8S3cEKUf4ZgS5gUa6Miar+EdE3c124z n0lTKZkj8kEcPyjQxC4M =DjCu -----END PGP SIGNATURE-----
Current thread:
- Re: Re: CVE Request?: konqueror - https uses all ciphers, even weak ones, (continued)
- Re: Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones John Haxby (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones John Haxby (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Jann Horn (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Felix Eckhofer (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Moritz Naumann (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Hanno Böck (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Kurt Seifried (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones cve-assign (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 13)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones cve-assign (Mar 13)