I am very glad to receive your responce. We test links in Ubuntu 12.04. thanks, rainkin
------------------ 原始邮件 ------------------ 发件人: "Axel Beckert";<a...@debian.org>; 发送时间: 2014年10月18日(星期六) 凌晨2:51 收件人: "rainkin"<598105...@qq.com>; 主题: [Bug 1381936] Re: SSL connection is not secure in links Please also state which version of links (or alternatively which version of Ubuntu) you checked. -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1381936 Title: SSL connection is not secure in links Status in “links2” package in Ubuntu: Incomplete Bug description: Recently, we are trying to find SSL security problems by static analysis. For example, as we all know, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. And static analysis is a way of finding whether the APIs are called correctly. Now, we find some SSL problems in links: 1. miss hostname check when verify x509 certificate 2. miss expired time check when verify x509 certificate More specifically , we can take function SSL_CTX_set_verify() for example, when using OPENSSL, if we call SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, null), we should verify the certificate by calling the function SSL_get_peer_certificate() to get the certificate at first. Then use X509 APIs or self-define function to verify the certificate we get. If the source code does not match this model, then we can deduce this code is vulnerable. And other APIs have similar problems. To verify the result we make, we prove the vulnerability manually. Result :we can browse any website with invalid certificate and we won’t get any warnings. PS: for more information, you can see the paper: http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf and more details you can contact with us, we will be very glad for your responce. Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/links2/+bug/1381936/+subscriptions ** Description changed: Recently, we are trying to find SSL security problems by static analysis. For example, as we all know, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. And static analysis is a way of finding whether the APIs are called correctly. Now, we find some SSL problems in links: 1. miss hostname check when verify x509 certificate 2. miss expired time check when verify x509 certificate More specifically , we can take function SSL_CTX_set_verify() for example, when using OPENSSL, if we call SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, null), we should verify the certificate by calling the function SSL_get_peer_certificate() to get the certificate at first. Then use X509 APIs or self-define function to verify the certificate we get. If the source code does not match this model, then we can deduce this code is vulnerable. And other APIs have similar problems. To verify the result we make, we prove the vulnerability manually. - Result :we can browse any website with invalid certificate and we won’t get any warnings. + Result :we can browse any website with invalid certificate and we won’t get any warnings. PS: + We test links in Ubunut 12.04. for more information, you can see the paper: http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf and more details you can contact with us, we will be very glad for your responce. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1381936 Title: SSL connection is not secure in links To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/links2/+bug/1381936/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs