"Igor Cappello" <[EMAIL PROTECTED]> writes: > When I try to authenticate to a page (example: the www.google.com > account page) which uses https protocol, with a proxy ($http_proxy and > $https_proxy are ok), I get an error message: "unable to retrieve > proxy://proxy_addr:proxy_port/https://the_rest_of_the_auth_page_address.php > (POST DATA) SSL error"
Examining this error revealed a security bug in ELinks, and the maintainer decided not to delay publication. http://bugzilla.elinks.cz/show_bug.cgi?id=937 If ELinks is making a POST request to an https URL, and a proxy has been defined for https, ELinks takes the body and Content-* headers of the POST request and adds them to the CONNECT request in cleartext. So the proxy can now snoop all the data that was supposed to be hidden by TLS, as can anyone between ELinks and the proxy. The proxy you are using presumably considers such a CONNECT request malformed and rejects it entirely. ELinks 0.10.6 and 0.11.2 have this bug. Other ELinks versions that can use a proxy for https also probably have it. AFAICT, Links 1.00pre12 and 2.1pre26 cannot use the CONNECT method and so do not have this bug. Until the bug is fixed, it is safest to use the https proxy setting only with trusted proxies connected via secure networks. Please note that ELinks reads three settings to choose the proxy: - the protocol.https.proxy.host option, - the HTTPS_PROXY environment variable, and - the https_proxy environment variable. To stop ELinks from using a proxy, you should clear all three.
pgpo7qS4bIfon.pgp
Description: PGP signature
_______________________________________________ elinks-users mailing list [email protected] http://linuxfromscratch.org/mailman/listinfo/elinks-users
