[Secure-testing-team] Bug#510417: links2: silently accepts bad SSL certificates

Thu Jan 1 16:57:35 UTC 2009

Package: links2
Version: 2.2-1
Severity: grave
Tags: security
Justification: user security hole

Links2 does not validate certificates it receives; as a result, there is
no warning that one is visiting a page with an expired certificate, a
certificate not signed by a trusted authority, or a certificate for the
wrong hostname.  As a result, an attacker capable of intercepting one's
packets can launch a man-in-the-middle attack to obtain account numbers,
passwords, etc.

At the very least, the documentation should prominently warn that
links2's HTTPS support is not to be relied upon for sensitive
information.

This is the same issue reported in bug 510348 for the (unrelated) browser
'dillo'.

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-openvz-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages links2 depends on:
ii  libc6                  2.7-16            GNU C Library: Shared libraries
ii  libdirectfb-1.0-0      1.0.1-11          direct frame buffer graphics - sha
ii  libgpm2                1.20.4-3.1        General Purpose Mouse - shared lib
ii  libjpeg62              6b-14             The Independent JPEG Group's JPEG 
ii  libpng12-0             1.2.27-2          PNG library - runtime
ii  libssl0.9.8            0.9.8g-14         SSL shared libraries
ii  libsvga1               1:1.4.3-27        console SVGA display libraries
ii  libtiff4               3.8.2-11          Tag Image File Format (TIFF) libra
ii  libx11-6               2:1.1.5-2         X11 client-side library
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

links2 recommends no packages.

links2 suggests no packages.

-- no debconf information