subject:"Bug#607497\: midori\: Loads HTTPS with SSL errors without any notice"

Bug#607497: midori: Loads HTTPS with SSL errors without any notice

2015-10-20 Thread Sergio Durigan Junior

On Wednesday, October 05 2011, Francesco Poli wrote:

> On Sun, 19 Dec 2010 04:05:00 +0100 Witold Baryluk wrote:
>
> [...]
>> Go to https://turtle.libre.fm/
>> (this site have expired ssl certificate, and it is issued to other domain).
>> 
>> Address bar in midori will go red, yes, but there is no way to see what is
>> wrong.
> [...]
>
> I would like to add a little more information.
>
> As noted in the upstream bug [1], Midori currently lacks a certificate
> manager and an accurate certificate verification mechanism.
>
> [1] https://bugs.launchpad.net/midori/+bug/706857
>
> Moreover, the color of the location bar is sometimes misleading: it
> happens that it becomes red ("Not verified"), and then, after clicking
> on the little (i) icon, it becomes yellow ("Verified and encrypted
> connection") upon reloading the page. Sometimes the opposite happens
> (a page is considered verified, but turns into non-verified after
> clicking on the little locker icon).
>
> I hope that these issues may be solved very soon.
> Midori is a nice lightweight web browser with a great potential, but a
> modern browser cannot afford lacking proper SSL certificate management
> and verification!

Hi there,

I am the new maintainer for Midori on Debian, and I am inclined to close
this bug.  As far as I understood from this (very old) discussion, what
was missing was a way to identify whether a website's SSL/TLS
certificate was valid or not, and take some action based on this.

Well, Midori has been offering a way to "trust a website" if the
certificate being used is not signed/valid, which means that the
connection to the website does not happen until the user actively
chooses to continue.  While I agree that the current solution still
needs some improvement, I do believe that, as far as security is
concerned, the behavior described in this report does not exist anymore.
Another thing worth mentioning is that the upstream bug has been closed
for a while now.

I realize it has been a long time since this bug (and this package) has
received any attention, so I will wait a few days to see if anybody has
anything else to say, and then I will close the bug if nobody complains.

Thanks,

-- 
Sergio
GPG key ID: 237A 54B1 0287 28BF 00EF  31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible
http://sergiodj.net/

signature.asc
Description: PGP signature

Bug#607497: midori: Loads HTTPS with SSL errors without any notice

2011-10-05 Thread Francesco Poli

On Sun, 19 Dec 2010 04:05:00 +0100 Witold Baryluk wrote:

[...]
 Go to https://turtle.libre.fm/
 (this site have expired ssl certificate, and it is issued to other domain).
 
 Address bar in midori will go red, yes, but there is no way to see what is
 wrong.
[...]

I would like to add a little more information.

As noted in the upstream bug [1], Midori currently lacks a certificate
manager and an accurate certificate verification mechanism.

[1] https://bugs.launchpad.net/midori/+bug/706857

Moreover, the color of the location bar is sometimes misleading: it
happens that it becomes red (Not verified), and then, after clicking
on the little (i) icon, it becomes yellow (Verified and encrypted
connection) upon reloading the page. Sometimes the opposite happens
(a page is considered verified, but turns into non-verified after
clicking on the little locker icon).

I hope that these issues may be solved very soon.
Midori is a nice lightweight web browser with a great potential, but a
modern browser cannot afford lacking proper SSL certificate management
and verification!


-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpmBelXMlf9f.pgp
Description: PGP signature

Bug#607497: midori: Loads HTTPS with SSL errors without any notice

2010-12-20 Thread Tomas Hoger

Hi Mike!

What Witold reports is actually post-CVE-2010-3900 behavior.  Does any
webkitgtk-based epiphany version offer any more protection than after
connect / fetch warning?

th.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#607497: [Secure-testing-team] Bug#607497: midori: Loads HTTPS with SSL errors without any notice

2010-12-19 Thread Michael Gilbert

severity 607497 important
fixed 607497 0.2.7-1.1
thanks

On Sun, 19 Dec 2010 04:05:00 +0100 Witold Baryluk wrote:

 Package: midori
 Version: 0.2.7-1.1
 Severity: grave
 Tags: security squeeze
 Justification: user security hole
 
 Simple example
 
 Go to https://turtle.libre.fm/
 (this site have expired ssl certificate, and it is issued to other domain).
 
 Address bar in midori will go red, yes, but there is no way to see what is
 wrong.
 (One can use wget or openssl sclient ... or other browser)
 
 What is worse, midori actually loads this page and shows us a page.
 
 It should block request, and should not make connection so easy.
 (IMHO there should not even be a way to bypass this errors).
 
 Possible private data leakage:
   - cookies
   - private urls
   - logins, passwords data
   - confidential informations on page.
 
 This bug makes MITM attack quite simple.
 
 Yes, user will notice this (becuase of red address bar), but it will be 
 already
 to late to do anything - data was already sent and received.

This is CVE-2010-3900 [0].  It has been decided that since Midori's
support for SSL is inherently limited that this fix won't be applied
for squeeze.  It is currently recommended to not use midori if SSL
support is important to you.  Epiphany or chromium are the preferred
webkit-based browsers.

Best wishes,
Mike

[0] http://security-tracker.debian.org/tracker/CVE-2010-3900



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#607497: midori: Loads HTTPS with SSL errors without any notice

2010-12-18 Thread Witold Baryluk

Package: midori
Version: 0.2.7-1.1
Severity: grave
Tags: security squeeze
Justification: user security hole

Simple example

Go to https://turtle.libre.fm/
(this site have expired ssl certificate, and it is issued to other domain).

Address bar in midori will go red, yes, but there is no way to see what is
wrong.
(One can use wget or openssl sclient ... or other browser)

What is worse, midori actually loads this page and shows us a page.

It should block request, and should not make connection so easy.
(IMHO there should not even be a way to bypass this errors).

Possible private data leakage:
  - cookies
  - private urls
  - logins, passwords data
  - confidential informations on page.

This bug makes MITM attack quite simple.

Yes, user will notice this (becuase of red address bar), but it will be already
to late to do anything - data was already sent and received.


Thanks.



-- System Information:
Debian Release: 6.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.37-rc5-sredniczarny-11471-g6313e3c (SMP w/1 CPU core; PREEMPT)
Locale: LANG=pl_PL.utf8, LC_CTYPE=pl_PL.utf8 (charmap=UTF-8) (ignored: LC_ALL 
set to pl_PL.utf8)
Shell: /bin/sh linked to /bin/dash

Versions of packages midori depends on:
ii  dbus-x11 1.2.24-3simple interprocess messaging syst
ii  dpkg 1.15.8.6Debian package management system
ii  libatk1.0-0  1.30.0-1The ATK accessibility toolkit
ii  libc62.11.2-7Embedded GNU C Library: Shared lib
ii  libcairo21.8.10-6The Cairo 2D vector graphics libra
ii  libdbus-1-3  1.2.24-3simple interprocess messaging syst
ii  libdbus-glib-1-2 0.88-2  simple interprocess messaging syst
ii  libfontconfig1   2.8.0-2.1   generic font configuration library
ii  libfreetype6 2.4.2-2.1   FreeType 2 font engine, shared lib
ii  libglib2.0-0 2.24.2-1The GLib library of C routines
ii  libgtk2.0-0  2.20.1-2The GTK+ graphical user interface 
ii  libjs-mootools   1.2.5~debian1-2 compact JavaScript framework
ii  libnotify1 [libnotify1-g 0.5.0-2 sends desktop notifications to a n
ii  libpango1.0-01.28.3-1Layout and rendering of internatio
ii  libsoup2.4-1 2.30.2-1an HTTP library implementation in 
ii  libsqlite3-0 3.7.4-1 SQLite 3 shared library
ii  libunique-1.0-0  1.1.6-1.1   Library for writing single instanc
ii  libwebkit-1.0-2  1.2.5-2.1   Web content engine library for Gtk
ii  libx11-6 2:1.3.3-4   X11 client-side library
ii  libxml2  2.7.8.dfsg-1GNOME XML library

Versions of packages midori recommends:
ii  gnome-icon-theme  2.30.3-2   GNOME Desktop icon theme

midori suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#607497: midori: Loads HTTPS with SSL errors without any notice

Bug#607497: midori: Loads HTTPS with SSL errors without any notice

Bug#607497: midori: Loads HTTPS with SSL errors without any notice

Bug#607497: [Secure-testing-team] Bug#607497: midori: Loads HTTPS with SSL errors without any notice

Bug#607497: midori: Loads HTTPS with SSL errors without any notice

5 matches

Site Navigation

Mail list logo

Footer information