[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vuln-dev
Subject:    Lynx-SSL doesn't check server certificates
From:       Pawe³ Grajewski <grajewsp () WEBMEDIA ! PL>
Date:       2000-12-27 21:11:37
[Download RAW message or body]

Hi all,

Last time when I was playing around with mod_ssl, I have tried to set up
a test SSL-secured Web site. I've quickly generated a self-signed
certificate, then I wanted to check with Lynx-SSL if it works. I was
really surprised, that Lynx-SSL didn't complain about server
certificate. Other browsers did.

According to Lynx-SSL web site[1], support for server certicates is
planned as a "future ehnancement". Before that will be implemented,
there is no way for a potential Lynx-SSL user to check wheather server's
certificate is valid. That makes this software fully vulnerable to MITM
attacks.

[1] http://www.moxienet.com/lynx/

--
*-[ Pawe³ Grajewski ]------------[ grajewsp@webmedia.pl ]-*

[prev in list] [next in list] [prev in thread] [next in thread]