oss-sec mailing list archives
Re: CVE Request?: konqueror - https uses all ciphers, even weak ones
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Tue, 04 Mar 2014 11:24:31 +0000
On 03/04/2014 11:12 AM, John Haxby wrote:
On 4 Mar 2014, at 11:01, Daniel Kahn Gillmor <dkg () fifthhorseman net> wrote:Here is another situation where konqueror successfully indicates a "secure" connection to a server that has a known-insecure configuration: point konqueror at: https://demo.cmrg.net/ -- you'll see a successful connection, though that server only offers DHE over a trivially-crackable 16-bit group.I suspect that this problem is fairly wide-ranging.
Perhaps this needs more than one RFC, then?
Apple’s Safari also permits the link.
I consider this a flaw in Safari. These connections are trivially decryptable by any passive eavesdropper. An active attacker can tamper with the content of the session.
Google Chrome doesn’t permit the link though, it just crashes :)
On what platform? Is this for any connection, or just for a primary connection? That is, can any web site can crash google chrome with <img src="https://demo.cmrg.net/" /> ? (sorry, i don't have either chrome or safari handy to test it myself right now) --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request?: konqueror - https uses all ciphers, even weak ones Marcus Meissner (Feb 27)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Tim Brown (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Kurt Seifried (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones cve-assign (Mar 03)
- Re: Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones John Haxby (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones John Haxby (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Jann Horn (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Felix Eckhofer (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Moritz Naumann (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Kurt Seifried (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Tim Brown (Mar 03)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Hanno Böck (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Kurt Seifried (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones cve-assign (Mar 04)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 13)