Bug#702976: CVE-2010-3312

Vincent Danen vdanen at redhat.com
Wed Mar 13 22:25:40 UTC 2013


* [2013-03-13 23:10:41 +0100] S?bastien Villemot wrote:

>Le mercredi 13 mars 2013 à 15:59 -0600, Vincent Danen a écrit :
>> * [2013-03-13 22:12:25 +0100] S?bastien Villemot wrote:
>>
>> >Le mercredi 13 mars 2013 à 11:58 -0600, Vincent Danen a écrit :
>> >> This issue was given the name CVE-2010-3312 quite a while ago.  See
>> >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3312 for more info.
>> >
>> >I don???t think this is the same issue. The problem reported here is
>> >specifically about redirections, while CVE-2010-3312 (#564690 in Debian)
>> >was about *never* verifying SSL certs (and is now fixed).
>>
>> Well, the issue in our bugzilla is still not fixed in the latest Fedora
>> version and since the bug is about epiphany not validating certificates
>> in general.  Are you sure it's fixed?  If it's fixed in Debian but not
>> upstream, then this should probably be classified as a separate issue
>> (but from where I sit, we have 3.6.1 in Fedora 18 and it doesn't seem to
>> do anything right with regards to SSL certificates).
>
>In Debian, with version 3.4.2, visiting a site with an invalid SSL
>certificate leads to the display of a broken-lock icon in the right
>hand-side of the address bar. This was considered as sufficient for
>Debian, see bug #603594 for more details on this.
>
>OTOH, when I visit the URL reported by the submitter, I get the (normal)
>lock icon, i.e. epiphany considers that the site is secure (even though
>the certificate common name does not match the hostname typed by the
>user).

Ahh, ok, understood.

Yeah, this might be a different problem although when I looked at the
examples you have, it was an actual redirect, so despite the user typing
one thing and then there being a redirect, the URL in the browser
matches the certificate.

I don't think I would consider that a security flaw.  Google Chrome
doesn't think so either.  For instance, I added a PHP script to redirect
from one valid HTTPS site to a completely different HTTPS site (using
the header() function) and Chrome still gives me the green padlock,
despite me typing one thing and ending up somewhere completely
different.

I wouldn't consider this a security flaw.  This is just how it works.
FWIW, Firefox acts the same way.  Visit
https://annvix.com/images/redirect.php and it will take you to github,
both HTTPS, no complaints.

-- 
Vincent Danen / Red Hat Security Response Team 




More information about the pkg-gnome-maintainers mailing list