Bug#607497: midori: Loads HTTPS with SSL errors without any notice
On Wednesday, October 05 2011, Francesco Poli wrote: > On Sun, 19 Dec 2010 04:05:00 +0100 Witold Baryluk wrote: > > [...] >> Go to https://turtle.libre.fm/ >> (this site have expired ssl certificate, and it is issued to other domain). >> >> Address bar in midori will go red, yes, but there is no way to see what is >> wrong. > [...] > > I would like to add a little more information. > > As noted in the upstream bug [1], Midori currently lacks a certificate > manager and an accurate certificate verification mechanism. > > [1] https://bugs.launchpad.net/midori/+bug/706857 > > Moreover, the color of the location bar is sometimes misleading: it > happens that it becomes red ("Not verified"), and then, after clicking > on the little (i) icon, it becomes yellow ("Verified and encrypted > connection") upon reloading the page. Sometimes the opposite happens > (a page is considered verified, but turns into non-verified after > clicking on the little locker icon). > > I hope that these issues may be solved very soon. > Midori is a nice lightweight web browser with a great potential, but a > modern browser cannot afford lacking proper SSL certificate management > and verification! Hi there, I am the new maintainer for Midori on Debian, and I am inclined to close this bug. As far as I understood from this (very old) discussion, what was missing was a way to identify whether a website's SSL/TLS certificate was valid or not, and take some action based on this. Well, Midori has been offering a way to "trust a website" if the certificate being used is not signed/valid, which means that the connection to the website does not happen until the user actively chooses to continue. While I agree that the current solution still needs some improvement, I do believe that, as far as security is concerned, the behavior described in this report does not exist anymore. Another thing worth mentioning is that the upstream bug has been closed for a while now. I realize it has been a long time since this bug (and this package) has received any attention, so I will wait a few days to see if anybody has anything else to say, and then I will close the bug if nobody complains. Thanks, -- Sergio GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36 Please send encrypted e-mail if possible http://sergiodj.net/ signature.asc Description: PGP signature
Bug#607497: midori: Loads HTTPS with SSL errors without any notice
On Sun, 19 Dec 2010 04:05:00 +0100 Witold Baryluk wrote: [...] Go to https://turtle.libre.fm/ (this site have expired ssl certificate, and it is issued to other domain). Address bar in midori will go red, yes, but there is no way to see what is wrong. [...] I would like to add a little more information. As noted in the upstream bug [1], Midori currently lacks a certificate manager and an accurate certificate verification mechanism. [1] https://bugs.launchpad.net/midori/+bug/706857 Moreover, the color of the location bar is sometimes misleading: it happens that it becomes red (Not verified), and then, after clicking on the little (i) icon, it becomes yellow (Verified and encrypted connection) upon reloading the page. Sometimes the opposite happens (a page is considered verified, but turns into non-verified after clicking on the little locker icon). I hope that these issues may be solved very soon. Midori is a nice lightweight web browser with a great potential, but a modern browser cannot afford lacking proper SSL certificate management and verification! -- http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt New GnuPG key, see the transition document! . Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE pgpmBelXMlf9f.pgp Description: PGP signature
Bug#607497: midori: Loads HTTPS with SSL errors without any notice
Hi Mike! What Witold reports is actually post-CVE-2010-3900 behavior. Does any webkitgtk-based epiphany version offer any more protection than after connect / fetch warning? th. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#607497: [Secure-testing-team] Bug#607497: midori: Loads HTTPS with SSL errors without any notice
severity 607497 important fixed 607497 0.2.7-1.1 thanks On Sun, 19 Dec 2010 04:05:00 +0100 Witold Baryluk wrote: Package: midori Version: 0.2.7-1.1 Severity: grave Tags: security squeeze Justification: user security hole Simple example Go to https://turtle.libre.fm/ (this site have expired ssl certificate, and it is issued to other domain). Address bar in midori will go red, yes, but there is no way to see what is wrong. (One can use wget or openssl sclient ... or other browser) What is worse, midori actually loads this page and shows us a page. It should block request, and should not make connection so easy. (IMHO there should not even be a way to bypass this errors). Possible private data leakage: - cookies - private urls - logins, passwords data - confidential informations on page. This bug makes MITM attack quite simple. Yes, user will notice this (becuase of red address bar), but it will be already to late to do anything - data was already sent and received. This is CVE-2010-3900 [0]. It has been decided that since Midori's support for SSL is inherently limited that this fix won't be applied for squeeze. It is currently recommended to not use midori if SSL support is important to you. Epiphany or chromium are the preferred webkit-based browsers. Best wishes, Mike [0] http://security-tracker.debian.org/tracker/CVE-2010-3900 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#607497: midori: Loads HTTPS with SSL errors without any notice
Package: midori Version: 0.2.7-1.1 Severity: grave Tags: security squeeze Justification: user security hole Simple example Go to https://turtle.libre.fm/ (this site have expired ssl certificate, and it is issued to other domain). Address bar in midori will go red, yes, but there is no way to see what is wrong. (One can use wget or openssl sclient ... or other browser) What is worse, midori actually loads this page and shows us a page. It should block request, and should not make connection so easy. (IMHO there should not even be a way to bypass this errors). Possible private data leakage: - cookies - private urls - logins, passwords data - confidential informations on page. This bug makes MITM attack quite simple. Yes, user will notice this (becuase of red address bar), but it will be already to late to do anything - data was already sent and received. Thanks. -- System Information: Debian Release: 6.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.37-rc5-sredniczarny-11471-g6313e3c (SMP w/1 CPU core; PREEMPT) Locale: LANG=pl_PL.utf8, LC_CTYPE=pl_PL.utf8 (charmap=UTF-8) (ignored: LC_ALL set to pl_PL.utf8) Shell: /bin/sh linked to /bin/dash Versions of packages midori depends on: ii dbus-x11 1.2.24-3simple interprocess messaging syst ii dpkg 1.15.8.6Debian package management system ii libatk1.0-0 1.30.0-1The ATK accessibility toolkit ii libc62.11.2-7Embedded GNU C Library: Shared lib ii libcairo21.8.10-6The Cairo 2D vector graphics libra ii libdbus-1-3 1.2.24-3simple interprocess messaging syst ii libdbus-glib-1-2 0.88-2 simple interprocess messaging syst ii libfontconfig1 2.8.0-2.1 generic font configuration library ii libfreetype6 2.4.2-2.1 FreeType 2 font engine, shared lib ii libglib2.0-0 2.24.2-1The GLib library of C routines ii libgtk2.0-0 2.20.1-2The GTK+ graphical user interface ii libjs-mootools 1.2.5~debian1-2 compact JavaScript framework ii libnotify1 [libnotify1-g 0.5.0-2 sends desktop notifications to a n ii libpango1.0-01.28.3-1Layout and rendering of internatio ii libsoup2.4-1 2.30.2-1an HTTP library implementation in ii libsqlite3-0 3.7.4-1 SQLite 3 shared library ii libunique-1.0-0 1.1.6-1.1 Library for writing single instanc ii libwebkit-1.0-2 1.2.5-2.1 Web content engine library for Gtk ii libx11-6 2:1.3.3-4 X11 client-side library ii libxml2 2.7.8.dfsg-1GNOME XML library Versions of packages midori recommends: ii gnome-icon-theme 2.30.3-2 GNOME Desktop icon theme midori suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org