[pkg-lynx-maint] Bug#745835: lynx-cur: certificate revocation is not checked
Axel Beckert
abe at debian.org
Mon Apr 27 15:38:53 UTC 2015
Hi Vincent,
Vincent Lefevre wrote:
> Perhaps I should have said "must".
:-)
> A problem related to that is that it is said nowhere in lynx
> documentation that the revocation status is not checked. So, the
> user has a false impression of security.
Sure. And that can be fixed easily and also in short term in the
Debian package as patch.
Will do. I'd add it in the NOTES section of the man page, but maybe
also in the inline help at
file://localhost/usr/share/doc/lynx-cur/lynx_help/lynx_url_support.html.gz#http_url.
Something like
NOTES
While HTTPS is supported, Lynx currently can't check certification
revocation lists and doesn't support the Online Certificate Status
Protocol (OCSP), hence it can't warn about websites using revoked
SSL certificates.
Or do you have a better suggestion?
Regards, Axel
--
,''`. | Axel Beckert <abe at debian.org>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
More information about the pkg-lynx-maint
mailing list