oss-sec mailing list archives

Re: Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)

From: Stuart Henderson <stu () spacehopper org>
Date: Sat, 7 Aug 2021 13:53:28 +0100

On 2021/08/07 04:49, Axel Beckert wrote:

Hi Thorsten,

I'm dropping the lynx-specific recipients, i.e. lynx-dev and the bug
report…

Thorsten Glaser wrote:

Axel Beckert dixit:

This is more severe than it initially looked like: Due to TLS Server
Name Indication (SNI) the hostname as parsed by Lynx (i.e with
"user:pass@" included) is sent in _clear_ text over the wire even


I *ALWAYS* SAID SNI IS A SHIT THING […]


Don't blame the messenger. ;-)

Other browsers also need checking.


Good idea.

I just checked in Debian Unstable those tools I'd mostly expect with
such URLs and commandline usage:

* Axel (sic! :-) 2.17.10-2
* ELinks 0.13.2-1+b1
* LibWWW-Perl (aka LWP) 6.53-1 via /usr/bin/GET
* Links/Links2 2.21-1+b1
* Wget (1.21-1+b1)
* Wget2 (1.99.1-2.2)


I've checked w3m 0.5.3+git20210102, curl 7.78.0, lftp 4.9.2 and OpenBSD's
ftp, those are okay too.

Current thread:

Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 06)
- Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)
  - Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
    - Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)
    - Re: Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Stuart Henderson (Aug 07)
  - SNI is a security vulnerability all by itself (was Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)) Thorsten Glaser (Aug 07)
    - Re: SNI is a security vulnerability all by itself (was Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)) Jeffrey Walton (Aug 07)
  - Re: Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Ariadne Conill (Aug 07)
    - Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)
    - Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
    - Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Ariadne Conill (Aug 07)
    - Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
- Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Salvatore Bonaccorso (Aug 07)