oss-sec mailing list archives

Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)

From: Thorsten Glaser <tg () mirbsd de>
Date: Sat, 7 Aug 2021 18:49:57 +0000 (UTC)

Ariadne Conill dixit:

It turns out SNI is only marginally related to this issue.  The issue
itself is far more severe: HTParse() does not understand the authn
part of the URI at all.


Yes, of course. But without SNI, nothing would have been sent *in
plaintext* at all. The certificate validation fails¹, the connection
stops and the user is asked whether to continue.

① Tested on an OS without SNI in its libssl.

As a workaround, I taught HTParse() how to parse the authn part of URIs, but
Lynx itself needs to actually properly support the authn part really.

I have attached the patch Alpine is using to work around this infoleak.


Thanks!

I recall having to work manually to strip the port from the hostname
for SSL certificate validation, ages ago, but I had not tested with
HTTP Auth sites back then.

bye,
//mirabilos
-- 
Gestern Nacht ist mein IRC-Netzwerk explodiert. Ich hatte nicht damit
gerechnet, darum bin ich blutverschmiert… wer konnte ahnen, daß SIE so
reagier’n… gestern Nacht ist mein IRC-Netzwerk explodiert~~~
        (as of 2021-06-15 The MirOS Project temporarily reconvenes on OFTC)

Current thread:

Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 06)
- Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)
  - Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
    - Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)
    - Re: Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Stuart Henderson (Aug 07)
  - SNI is a security vulnerability all by itself (was Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)) Thorsten Glaser (Aug 07)
    - Re: SNI is a security vulnerability all by itself (was Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)) Jeffrey Walton (Aug 07)
  - Re: Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Ariadne Conill (Aug 07)
    - Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)
    - Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
    - Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Ariadne Conill (Aug 07)
    - Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
- Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Salvatore Bonaccorso (Aug 07)