[prev in list] [next in list] [prev in thread] [next in thread]
List: vuln-dev
Subject: Lynx-SSL doesn't check server certificates
From: Pawe³ Grajewski <grajewsp () WEBMEDIA ! PL>
Date: 2000-12-27 21:11:37
[Download RAW message or body]
Hi all,
Last time when I was playing around with mod_ssl, I have tried to set up
a test SSL-secured Web site. I've quickly generated a self-signed
certificate, then I wanted to check with Lynx-SSL if it works. I was
really surprised, that Lynx-SSL didn't complain about server
certificate. Other browsers did.
According to Lynx-SSL web site[1], support for server certicates is
planned as a "future ehnancement". Before that will be implemented,
there is no way for a potential Lynx-SSL user to check wheather server's
certificate is valid. That makes this software fully vulnerable to MITM
attacks.
[1] http://www.moxienet.com/lynx/
--
*-[ Pawe³ Grajewski ]------------[ grajewsp@webmedia.pl ]-*
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic