oss-sec mailing list archives

Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules

From: Matthew Fernandez <matthew.fernandez () gmail com>
Date: Thu, 20 Apr 2023 15:44:08 -0700


On 4/20/23 14:26, Steffen Nurpmeso wrote:

Jeffrey Walton wrote in
  <CAH8yC8nYOGAsnPkm+f3-b7r4PvZ=QxeKT9DXK=MoFVoFDGav9w () mail gmail com>:
  |On Thu, Apr 20, 2023 at 9:05 AM Steffen Nurpmeso <steffen () sdaoden eu> \
  |wrote:
  |I don't think HTTPS discriminates against servers with self-signed
  |certificates. A user is free to limit trust to a single, self-signed
  |certificate. The docs show the user how to do it.

That seems very, very complicated for non-nerds.
I fail to see user-enabled documentation for how to achieve this,
but i am only using command line / console programs, it can be the
desktop environments make this easy.

I hesitate to reply to this thread because I struggle to understand whattopic it has diverged into, but I just wanted to note that embeddedbrowsers configured to accept a single self-signed certificate are notuncommon in corporate environments. Thus a (non-technical) end user maybe using a browser like this that has been configured for them by devicemanagement. Whether this is a good design/idea, I leave to others’judgement.

Current thread:

Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Stig Palmquist (Apr 18)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Demi Marie Obenour (Apr 19)
  - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 19)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Hanno Böck (Apr 19)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (Apr 20)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Jeffrey Walton (Apr 20)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Matthew Fernandez (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Christian Heinrich (Apr 21)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Stig Palmquist (Apr 29)
  - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (May 03)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Moritz Bechler (May 03)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Michael Orlitzky (May 03)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 04)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Sam Bull (May 04)
    - Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Alan Coopersmith (May 04)

(Thread continues...)