Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <53163B24.5030204@redhat.com>
Date: Tue, 04 Mar 2014 13:44:20 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, security@...gle.com
Subject: Re: CVE Request?: konqueror - https uses all ciphers,
 even weak ones

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/04/2014 04:12 AM, John Haxby wrote:
> 
> On 4 Mar 2014, at 11:01, Daniel Kahn Gillmor
> <dkg@...thhorseman.net> wrote:
> 
>> Here is another situation where konqueror successfully indicates
>> a "secure" connection to a server that has a known-insecure
>> configuration: point konqueror at: https://demo.cmrg.net/ --
>> you'll see a successful connection, though that server only
>> offers DHE over a trivially-crackable 16-bit group.
> 
> I suspect that this problem is fairly wide-ranging.   Apple’s
> Safari also permits the link.   Google Chrome doesn’t permit the
> link though, it just crashes :)
> 
> jch

Confirmed on Google Chrome in Linux (33.0.1750.117 and 33.0.1750.146),
Windows (33.0.1750.146 m) and Mac OS X (33.0.1750.146). Firefox
actually handles it really nicely, clear description in the error page
and refuses to let you connect because it's to weak.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTFjskAAoJEBYNRVNeJnmThWwP/2joiR0gJRzr9IGN7g4JtZHc
yi0LmwScsKE87s5Tr+eq4zC8R1Xp0IpgtNnN7aymnlJO/nuiLGi9tkG0m30pEfqr
U/NhyguYVM9+DJKHqwJmQZnrS+mbERemEUteviGA16gi93MY6q9B275/Ny3Cmc4+
JzFTBvUdLnpWm40chL7BWYDUCVKg3tzR4IXW610OY+qtqhoAHtN9cAwW7u8yNMCo
CXfMPvlcbsErE5t4cGuRX7BmPuznJol1YE+lenOUgXLsbTuvZs65WaJx5WaT8m+1
2NLhN6jb04PDX6Oge1hLwAaFKVO7cRvfjohv3iyuxvxX0VSWUZhGi0B2FjYQdLbb
u3MFruqgXAh84HRuQZBbf3zD8m7V8joyf5NmJlGOiSH6UyYxa5xYZIzDVClkENV1
unTbTpsjtX7SnR1zMGSmBscYHvx5KMcIkcjb4GIzXaJfm3Wj4Wnb5DPGZ7Vqo4WT
10ejwoW5gGI6PsLSG+QKGDVSWvvfPs7r6AfktWe7MvnnoUa0/FWUFTLGzDvzoRN4
//dzTb6BlOlm6pjv7B61MvtumNsoRbrn1BZ3uCv2DjXByANc40Vm2VbQl125a3lA
Tl2O6zSEMuMHQAw8OXxGL78VTiGqLnGuk8S3cEKUf4ZgS5gUa6Miar+EdE3c124z
n0lTKZkj8kEcPyjQxC4M
=DjCu
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.