[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev Patch for SSL warning

From: David Woolley
Subject: Re: lynx-dev Patch for SSL warning
Date: Mon, 18 Nov 2002 22:53:43 +0000 (GMT)

>   should be supressed by default. It didn't occur in OpenSSL until 3 months
>   ago (lynx.cfg, lyrcfile.h, lyreadcfg.c and http.[ch])

Lynx was broken from a security point of view until a few months ago.  It
failed to authenticate the server.

> +# Ignore errors from OpenSSL saying "unable to get local issuer certificate
> +# Only affects https sites. Lynx must be compied with USE_SSL for this

Typo on compiled.

> +# setting to take effect.

You should include a warning that this makes Lynx vulnerable to man in the
middle attacks and impostor sites.

> +#

NO NO NO NO. The default should be secure.  Suppressing symptoms of security
problems is a very bad cure for those problems.

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]