Bug#702976: CVE-2010-3312
Vincent Danen
vdanen at redhat.com
Wed Mar 13 22:25:40 UTC 2013
* [2013-03-13 23:10:41 +0100] S?bastien Villemot wrote:
>Le mercredi 13 mars 2013 à 15:59 -0600, Vincent Danen a écrit :
>> * [2013-03-13 22:12:25 +0100] S?bastien Villemot wrote:
>>
>> >Le mercredi 13 mars 2013 à 11:58 -0600, Vincent Danen a écrit :
>> >> This issue was given the name CVE-2010-3312 quite a while ago. See
>> >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3312 for more info.
>> >
>> >I don???t think this is the same issue. The problem reported here is
>> >specifically about redirections, while CVE-2010-3312 (#564690 in Debian)
>> >was about *never* verifying SSL certs (and is now fixed).
>>
>> Well, the issue in our bugzilla is still not fixed in the latest Fedora
>> version and since the bug is about epiphany not validating certificates
>> in general. Are you sure it's fixed? If it's fixed in Debian but not
>> upstream, then this should probably be classified as a separate issue
>> (but from where I sit, we have 3.6.1 in Fedora 18 and it doesn't seem to
>> do anything right with regards to SSL certificates).
>
>In Debian, with version 3.4.2, visiting a site with an invalid SSL
>certificate leads to the display of a broken-lock icon in the right
>hand-side of the address bar. This was considered as sufficient for
>Debian, see bug #603594 for more details on this.
>
>OTOH, when I visit the URL reported by the submitter, I get the (normal)
>lock icon, i.e. epiphany considers that the site is secure (even though
>the certificate common name does not match the hostname typed by the
>user).
Ahh, ok, understood.
Yeah, this might be a different problem although when I looked at the
examples you have, it was an actual redirect, so despite the user typing
one thing and then there being a redirect, the URL in the browser
matches the certificate.
I don't think I would consider that a security flaw. Google Chrome
doesn't think so either. For instance, I added a PHP script to redirect
from one valid HTTPS site to a completely different HTTPS site (using
the header() function) and Chrome still gives me the green padlock,
despite me typing one thing and ending up somewhere completely
different.
I wouldn't consider this a security flaw. This is just how it works.
FWIW, Firefox acts the same way. Visit
https://annvix.com/images/redirect.php and it will take you to github,
both HTTPS, no complaints.
--
Vincent Danen / Red Hat Security Response Team
More information about the pkg-gnome-maintainers
mailing list