Vulnerability Development mailing list archives
Lynx-SSL doesn't check server certificates
From: Pawe³ Grajewski <grajewsp () WEBMEDIA PL>
Date: Wed, 27 Dec 2000 22:11:37 +0100
Hi all, Last time when I was playing around with mod_ssl, I have tried to set up a test SSL-secured Web site. I've quickly generated a self-signed certificate, then I wanted to check with Lynx-SSL if it works. I was really surprised, that Lynx-SSL didn't complain about server certificate. Other browsers did. According to Lynx-SSL web site[1], support for server certicates is planned as a "future ehnancement". Before that will be implemented, there is no way for a potential Lynx-SSL user to check wheather server's certificate is valid. That makes this software fully vulnerable to MITM attacks. [1] http://www.moxienet.com/lynx/ -- *-[ Paweł Grajewski ]------------[ grajewsp () webmedia pl ]-*
Current thread:
- Lynx-SSL doesn't check server certificates Pawe³ Grajewski (Dec 27)