Lynx-SSL doesn't check server certificates

[Pawe³ Grajewski <grajewsp () WEBMEDIA PL>]

Hi all,

Last time when I was playing around with mod_ssl, I have tried to set up
a test SSL-secured Web site. I've quickly generated a self-signed
certificate, then I wanted to check with Lynx-SSL if it works. I was
really surprised, that Lynx-SSL didn't complain about server
certificate. Other browsers did.

According to Lynx-SSL web site[1], support for server certicates is
planned as a "future ehnancement". Before that will be implemented,
there is no way for a potential Lynx-SSL user to check wheather server's
certificate is valid. That makes this software fully vulnerable to MITM
attacks.

[1] http://www.moxienet.com/lynx/

--
*-[ Paweł Grajewski ]------------[ grajewsp () webmedia pl ]-*