oss-sec mailing list archives
Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules
From: Matthew Fernandez <matthew.fernandez () gmail com>
Date: Thu, 20 Apr 2023 15:44:08 -0700
On 4/20/23 14:26, Steffen Nurpmeso wrote:
Jeffrey Walton wrote in <CAH8yC8nYOGAsnPkm+f3-b7r4PvZ=QxeKT9DXK=MoFVoFDGav9w () mail gmail com>: |On Thu, Apr 20, 2023 at 9:05 AM Steffen Nurpmeso <steffen () sdaoden eu> \ |wrote: |I don't think HTTPS discriminates against servers with self-signed |certificates. A user is free to limit trust to a single, self-signed |certificate. The docs show the user how to do it. That seems very, very complicated for non-nerds. I fail to see user-enabled documentation for how to achieve this, but i am only using command line / console programs, it can be the desktop environments make this easy.
I hesitate to reply to this thread because I struggle to understand what topic it has diverged into, but I just wanted to note that embedded browsers configured to accept a single self-signed certificate are not uncommon in corporate environments. Thus a (non-technical) end user may be using a browser like this that has been configured for them by device management. Whether this is a good design/idea, I leave to others’ judgement.
Current thread:
- Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Stig Palmquist (Apr 18)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Demi Marie Obenour (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Hanno Böck (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Jeffrey Walton (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Matthew Fernandez (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Demi Marie Obenour (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Moritz Bechler (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Michael Orlitzky (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 04)