Debian Bug report logs -
#607497
midori: Loads HTTPS with SSL errors without any notice
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, baryluk@smp.if.uj.edu.pl, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ryan Niebur <ryan@debian.org>:
Bug#607497; Package midori.
(Sun, 19 Dec 2010 03:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Witold Baryluk <baryluk@smp.if.uj.edu.pl>:
New Bug report received and forwarded. Copy sent to baryluk@smp.if.uj.edu.pl, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ryan Niebur <ryan@debian.org>.
(Sun, 19 Dec 2010 03:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: midori
Version: 0.2.7-1.1
Severity: grave
Tags: security squeeze
Justification: user security hole
Simple example
Go to https://turtle.libre.fm/
(this site have expired ssl certificate, and it is issued to other domain).
Address bar in midori will go red, yes, but there is no way to see what is
wrong.
(One can use wget or openssl sclient ... or other browser)
What is worse, midori actually loads this page and shows us a page.
It should block request, and should not make connection so easy.
(IMHO there should not even be a way to bypass this errors).
Possible private data leakage:
- cookies
- private urls
- logins, passwords data
- confidential informations on page.
This bug makes MITM attack quite simple.
Yes, user will notice this (becuase of red address bar), but it will be already
to late to do anything - data was already sent and received.
Thanks.
-- System Information:
Debian Release: 6.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.37-rc5-sredniczarny-11471-g6313e3c (SMP w/1 CPU core; PREEMPT)
Locale: LANG=pl_PL.utf8, LC_CTYPE=pl_PL.utf8 (charmap=UTF-8) (ignored: LC_ALL set to pl_PL.utf8)
Shell: /bin/sh linked to /bin/dash
Versions of packages midori depends on:
ii dbus-x11 1.2.24-3 simple interprocess messaging syst
ii dpkg 1.15.8.6 Debian package management system
ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libcairo2 1.8.10-6 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.2.24-3 simple interprocess messaging syst
ii libdbus-glib-1-2 0.88-2 simple interprocess messaging syst
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libfreetype6 2.4.2-2.1 FreeType 2 font engine, shared lib
ii libglib2.0-0 2.24.2-1 The GLib library of C routines
ii libgtk2.0-0 2.20.1-2 The GTK+ graphical user interface
ii libjs-mootools 1.2.5~debian1-2 compact JavaScript framework
ii libnotify1 [libnotify1-g 0.5.0-2 sends desktop notifications to a n
ii libpango1.0-0 1.28.3-1 Layout and rendering of internatio
ii libsoup2.4-1 2.30.2-1 an HTTP library implementation in
ii libsqlite3-0 3.7.4-1 SQLite 3 shared library
ii libunique-1.0-0 1.1.6-1.1 Library for writing single instanc
ii libwebkit-1.0-2 1.2.5-2.1 Web content engine library for Gtk
ii libx11-6 2:1.3.3-4 X11 client-side library
ii libxml2 2.7.8.dfsg-1 GNOME XML library
Versions of packages midori recommends:
ii gnome-icon-theme 2.30.3-2 GNOME Desktop icon theme
midori suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>:
Bug#607497; Package midori.
(Sun, 19 Dec 2010 18:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>.
(Sun, 19 Dec 2010 18:27:06 GMT) (full text, mbox, link).
Message #10 received at 607497@bugs.debian.org (full text, mbox, reply):
severity 607497 important
fixed 607497 0.2.7-1.1
thanks
On Sun, 19 Dec 2010 04:05:00 +0100 Witold Baryluk wrote:
> Package: midori
> Version: 0.2.7-1.1
> Severity: grave
> Tags: security squeeze
> Justification: user security hole
>
> Simple example
>
> Go to https://turtle.libre.fm/
> (this site have expired ssl certificate, and it is issued to other domain).
>
> Address bar in midori will go red, yes, but there is no way to see what is
> wrong.
> (One can use wget or openssl sclient ... or other browser)
>
> What is worse, midori actually loads this page and shows us a page.
>
> It should block request, and should not make connection so easy.
> (IMHO there should not even be a way to bypass this errors).
>
> Possible private data leakage:
> - cookies
> - private urls
> - logins, passwords data
> - confidential informations on page.
>
> This bug makes MITM attack quite simple.
>
> Yes, user will notice this (becuase of red address bar), but it will be already
> to late to do anything - data was already sent and received.
This is CVE-2010-3900 [0]. It has been decided that since Midori's
support for SSL is inherently limited that this fix won't be applied
for squeeze. It is currently recommended to not use midori if SSL
support is important to you. Epiphany or chromium are the preferred
webkit-based browsers.
Best wishes,
Mike
[0] http://security-tracker.debian.org/tracker/CVE-2010-3900
Severity set to 'important' from 'grave'
Request was from Michael Gilbert <michael.s.gilbert@gmail.com>
to control@bugs.debian.org.
(Sun, 19 Dec 2010 18:27:07 GMT) (full text, mbox, link).
Bug Marked as fixed in versions midori/0.2.7-1.1.
Request was from Michael Gilbert <michael.s.gilbert@gmail.com>
to control@bugs.debian.org.
(Sun, 19 Dec 2010 18:27:08 GMT) (full text, mbox, link).
Message sent on
to Witold Baryluk <baryluk@smp.if.uj.edu.pl>:
Bug#607497.
(Sun, 19 Dec 2010 18:27:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>:
Bug#607497; Package midori.
(Mon, 20 Dec 2010 09:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Tomas Hoger <thoger@redhat.com>:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>.
(Mon, 20 Dec 2010 09:06:03 GMT) (full text, mbox, link).
Message #22 received at 607497@bugs.debian.org (full text, mbox, reply):
Hi Mike!
What Witold reports is actually post-CVE-2010-3900 behavior. Does any
webkitgtk-based epiphany version offer any more protection than after
connect / fetch warning?
th.
Information forwarded
to debian-bugs-dist@lists.debian.org, Ryan Niebur <ryan@debian.org>:
Bug#607497; Package midori.
(Wed, 05 Oct 2011 22:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Francesco Poli <invernomuto@paranoici.org>:
Extra info received and forwarded to list. Copy sent to Ryan Niebur <ryan@debian.org>.
(Wed, 05 Oct 2011 22:33:03 GMT) (full text, mbox, link).
Message #31 received at 607497@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, 19 Dec 2010 04:05:00 +0100 Witold Baryluk wrote:
[...]
> Go to https://turtle.libre.fm/
> (this site have expired ssl certificate, and it is issued to other domain).
>
> Address bar in midori will go red, yes, but there is no way to see what is
> wrong.
[...]
I would like to add a little more information.
As noted in the upstream bug [1], Midori currently lacks a certificate
manager and an accurate certificate verification mechanism.
[1] https://bugs.launchpad.net/midori/+bug/706857
Moreover, the color of the location bar is sometimes misleading: it
happens that it becomes red ("Not verified"), and then, after clicking
on the little (i) icon, it becomes yellow ("Verified and encrypted
connection") upon reloading the page. Sometimes the opposite happens
(a page is considered verified, but turns into non-verified after
clicking on the little locker icon).
I hope that these issues may be solved very soon.
Midori is a nice lightweight web browser with a great potential, but a
modern browser cannot afford lacking proper SSL certificate management
and verification!
--
http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
New GnuPG key, see the transition document!
..................................................... Francesco Poli .
GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
[Message part 2 (application/pgp-signature, inline)]
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 27 Aug 2012 16:51:18 GMT) (full text, mbox, link).
Merged 607497 672880
Request was from Yves-Alexis Perez <corsac@debian.org>
to 672880-submit@bugs.debian.org.
(Wed, 10 Oct 2012 06:15:05 GMT) (full text, mbox, link).
No longer marked as fixed in versions midori/0.2.7-1.1.
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Fri, 04 Oct 2013 13:45:09 GMT) (full text, mbox, link).
Marked as fixed in versions midori/0.2.7-1.1.
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Fri, 04 Oct 2013 13:51:12 GMT) (full text, mbox, link).
No longer marked as fixed in versions midori/0.2.7-1.1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 24 Nov 2013 20:39:33 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#607497; Package midori.
(Wed, 21 Oct 2015 05:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Sergio Durigan Junior <sergiodj@sergiodj.net>:
Extra info received and forwarded to list.
(Wed, 21 Oct 2015 05:33:07 GMT) (full text, mbox, link).
Message #46 received at 607497@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wednesday, October 05 2011, Francesco Poli wrote:
> On Sun, 19 Dec 2010 04:05:00 +0100 Witold Baryluk wrote:
>
> [...]
>> Go to https://turtle.libre.fm/
>> (this site have expired ssl certificate, and it is issued to other domain).
>>
>> Address bar in midori will go red, yes, but there is no way to see what is
>> wrong.
> [...]
>
> I would like to add a little more information.
>
> As noted in the upstream bug [1], Midori currently lacks a certificate
> manager and an accurate certificate verification mechanism.
>
> [1] https://bugs.launchpad.net/midori/+bug/706857
>
> Moreover, the color of the location bar is sometimes misleading: it
> happens that it becomes red ("Not verified"), and then, after clicking
> on the little (i) icon, it becomes yellow ("Verified and encrypted
> connection") upon reloading the page. Sometimes the opposite happens
> (a page is considered verified, but turns into non-verified after
> clicking on the little locker icon).
>
> I hope that these issues may be solved very soon.
> Midori is a nice lightweight web browser with a great potential, but a
> modern browser cannot afford lacking proper SSL certificate management
> and verification!
Hi there,
I am the new maintainer for Midori on Debian, and I am inclined to close
this bug. As far as I understood from this (very old) discussion, what
was missing was a way to identify whether a website's SSL/TLS
certificate was valid or not, and take some action based on this.
Well, Midori has been offering a way to "trust a website" if the
certificate being used is not signed/valid, which means that the
connection to the website does not happen until the user actively
chooses to continue. While I agree that the current solution still
needs some improvement, I do believe that, as far as security is
concerned, the behavior described in this report does not exist anymore.
Another thing worth mentioning is that the upstream bug has been closed
for a while now.
I realize it has been a long time since this bug (and this package) has
received any attention, so I will wait a few days to see if anybody has
anything else to say, and then I will close the bug if nobody complains.
Thanks,
--
Sergio
GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible
http://sergiodj.net/
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Sergio Durigan Junior <sergiodj@sergiodj.net>:
Bug#607497; Package midori.
(Wed, 21 Oct 2015 13:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Sergio Durigan Junior <sergiodj@sergiodj.net>.
(Wed, 21 Oct 2015 13:15:04 GMT) (full text, mbox, link).
Message #51 received at 607497@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> While I agree that the current solution still needs some improvement, I do
> believe that, as far as security is concerned, the behavior described in this
> report does not exist anymore.
Then you can close this bug.
> I realize it has been a long time since this bug (and this package) has
> received any attention
Received attention should not be the indicator of whether bug should be closed
or not.
I do not know what happened to tags in this bug report, but in Debian security
tracker this issue has been marked as fixed in 0.2.7-1.1 version. There is also
a note that Midori should not be used if SSL support is important to you. Is
this correct information?
Please see: https://security-tracker.debian.org/tracker/CVE-2010-3900
I can also do some testing if that is needed. If user should not use Midori when
SSL/TLS support is important then it should be clearly pointed out at least in
the man page.
- --
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJWJ49lAAoJECet96ROqnV0nWQQAI5Jobp+aeKcm3IWt2j4PFMU
7vuz6saI0vzpFfWFeBPW2oF622wyeUf4uwpiKGEDZzMcSSCSLp3IoGDDv9Qte4WK
rcjSVkyCJuxro+4rnFALjaqyC1IsajRsKdpHpQAEZKL2p9LLofReBnl871f0eBIo
kCy6dzmG3RhWSafQeL86x1TQ6gZLVcl3eWvNfnEql2rRq2rU85dR/VNaUnISrS9k
6HqLkW90ToTB/+huMp1ftD/SVNaucA0SkObskXskO9xlo8LAL5yJBQ8ZA98veS/p
XrOh8D7nLmxvBd79sxj4SaAhKa0+9O5CHZLzUXSTbKSGMzq5VRToXGF5nsDCMSs+
vZ8mfEJ6qsIaiJLpq+B3w2tvbYNg8veZs3VeDBQtALmGVcbwCTko6cdKlgPjxB7O
+C3vruCGgPthKWVYPKZ7Z0Ug6Nk93YKU0ZVNtu/vXI0GSmty4Z9r3nxt13r5G/0I
YDzzHYUeP4j+EDvobNCFAqjvZLQxh4wmSP8of+98KxDOd8VODA6kfXVMLkP1fXH0
XudRyvIDIjJyXUN1lYQtpuxghBXmVC581IWCwV033ki1ZUHphM+lyK4sWGELGkIy
waZ/fV8SWA3MjxaMTWWpUdfnDw8hJL+SvQd56Oa6sBy3kO+3R3XlALRpbfjA+v8Y
7zheUuiltaANV1qvmO38
=IsEI
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#607497; Package midori.
(Wed, 21 Oct 2015 17:33:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Sergio Durigan Junior <sergiodj@sergiodj.net>:
Extra info received and forwarded to list.
(Wed, 21 Oct 2015 17:33:08 GMT) (full text, mbox, link).
Message #56 received at 607497@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wednesday, October 21 2015, Henri Salo wrote:
>> While I agree that the current solution still needs some improvement, I do
>> believe that, as far as security is concerned, the behavior described in this
>> report does not exist anymore.
>
> Then you can close this bug.
This bug is important enough that it deserves a double-check, therefore
I do not think I can just close it out of nowhere.
>> I realize it has been a long time since this bug (and this package) has
>> received any attention
>
> Received attention should not be the indicator of whether bug should be closed
> or not.
I did not say this.
> I do not know what happened to tags in this bug report, but in Debian security
> tracker this issue has been marked as fixed in 0.2.7-1.1 version. There is also
> a note that Midori should not be used if SSL support is important to you. Is
> this correct information?
To the extent of my knowledge, no.
> Please see: https://security-tracker.debian.org/tracker/CVE-2010-3900
What makes you think I did not see this?
> I can also do some testing if that is needed. If user should not use Midori when
> SSL/TLS support is important then it should be clearly pointed out at least in
> the man page.
I would appreciate more testing, of course. That is why I decided to
ping this bug instead of closing it.
--
Sergio
GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible
http://sergiodj.net/
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Sergio Durigan Junior <sergiodj@sergiodj.net>:
Bug#607497; Package midori.
(Wed, 21 Oct 2015 17:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Sergio Durigan Junior <sergiodj@sergiodj.net>.
(Wed, 21 Oct 2015 17:42:05 GMT) (full text, mbox, link).
Message #61 received at 607497@bugs.debian.org (full text, mbox, reply):
On Wed, Oct 21, 2015 at 01:28:31PM -0400, Sergio Durigan Junior wrote:
> I did not say this.
Okay. I just wanted to point it out. Not sure that how people work when they
start as a new maintainer for package with old bugs like this case.
> What makes you think I did not see this?
Not all maintainers follow/update security-tracker so I made assumption.
> I would appreciate more testing, of course. That is why I decided to
> ping this bug instead of closing it.
Great. I can help later this week. We can also communicate in IRC if you are in
OFTC IRC-network?
--
Henri Salo (fgeek)
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#607497; Package midori.
(Wed, 21 Oct 2015 17:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Sergio Durigan Junior <sergiodj@sergiodj.net>:
Extra info received and forwarded to list.
(Wed, 21 Oct 2015 17:48:04 GMT) (full text, mbox, link).
Message #66 received at 607497@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wednesday, October 21 2015, Henri Salo wrote:
>> I would appreciate more testing, of course. That is why I decided to
>> ping this bug instead of closing it.
>
> Great. I can help later this week. We can also communicate in IRC if you are in
> OFTC IRC-network?
My nickname is sergiodj there.
Thanks,
--
Sergio
GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible
http://sergiodj.net/
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Adrian Bunk <bunk@debian.org>:
You have taken responsibility.
(Mon, 27 Feb 2017 19:41:21 GMT) (full text, mbox, link).
Notification sent
to Witold Baryluk <baryluk@smp.if.uj.edu.pl>:
Bug acknowledged by developer.
(Mon, 27 Feb 2017 19:41:21 GMT) (full text, mbox, link).
Message #71 received at 607497-done@bugs.debian.org (full text, mbox, reply):
Dear submitter,
these bug are tagged squeeze without any wheezy/jessie/stretch tag
implying that the bug is not present in more recent Debian releases.
squeeze is no longer supported.
We are sorry that we couldn't deal with your issue in squeeze.
If this bug was incorrectly tagged squeeze, please reopen the bug
and remove the squeeze tag.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
Reply sent
to Adrian Bunk <bunk@debian.org>:
You have taken responsibility.
(Mon, 27 Feb 2017 19:41:21 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Mon, 27 Feb 2017 19:41:21 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 28 Mar 2017 07:41:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:13:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon