[pkg-lynx-maint] Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)

[Thorsten Glaser]

Axel Beckert dixit:

>This is more severe than it initially looked like: Due to TLS Server
>Name Indication (SNI) the hostname as parsed by Lynx (i.e with
>"user:pass@" included) is sent in _clear_ text over the wire even

I *ALWAYS* SAID SNI IS A SHIT THING ONLY USED AS BAD EXCUSE FOR NAT
BY PEOPLE WHO ARE TOO STUPID TO CONFIGURE THEIR SERVERS RIGHT AND AS
BAD EXCUSE FOR LACKING IPv6 SUPPORT, AND THEN THE FUCKING IDIOTS WENT
AND MADE SNI *MANDATORY* FOR TLSv1.3, AND I FEEL *SO* VINDICATED RIGHT
NOW! IDIOTS IN CHARGE OF SECURITY, FUCKING IDIOTS…

>But given that the symptoms Thorsten discovered stayed unreported for
>quite some years, I assume that this use case is a rather seldom one.

Nah, SNI is a rather recent thing. But…

>IMHO this nevertheless needs a CVE-ID.

… it probably does. Other browsers also need checking.

Thanks for the detective work,
//mirabilos
-- 
<diogenese> Beware of ritual lest you forget the meaning behind it.
<igli> yeah but it means if you really care about something, don't
    ritualise it, or you will lose it. don't fetishise it, don't
    obsess. or you'll forget why you love it in the first place.