thr3ads.net - Secure testing team - [Secure-testing-team] Bug#607497: midori: Loads HTTPS with SSL errors without any notice [Dec 2010]

If this information is useful, please help other people find it:
Share via:

Witold Baryluk

2010-Dec-19 03:05 UTC

[Secure-testing-team] Bug#607497: midori: Loads HTTPS with SSL errors without any notice

Package: midori
Version: 0.2.7-1.1
Severity: grave
Tags: security squeeze
Justification: user security hole

Simple example

Go to https://turtle.libre.fm/
(this site have expired ssl certificate, and it is issued to other domain).

Address bar in midori will go red, yes, but there is no way to see what is
wrong.
(One can use wget or openssl sclient ... or other browser)

What is worse, midori actually loads this page and shows us a page.

It should block request, and should not make connection so easy.
(IMHO there should not even be a way to bypass this errors).

Possible private data leakage:
  - cookies
  - private urls
  - logins, passwords data
  - confidential informations on page.

This bug makes MITM attack quite simple.

Yes, user will notice this (becuase of red address bar), but it will be already
to late to do anything - data was already sent and received.


Thanks.



-- System Information:
Debian Release: 6.0
  APT prefers unstable
  APT policy: (500, ''unstable''), (1,
''experimental'')
Architecture: i386 (i686)

Kernel: Linux 2.6.37-rc5-sredniczarny-11471-g6313e3c (SMP w/1 CPU core; PREEMPT)
Locale: LANG=pl_PL.utf8, LC_CTYPE=pl_PL.utf8 (charmap=UTF-8) (ignored: LC_ALL
set to pl_PL.utf8)
Shell: /bin/sh linked to /bin/dash

Versions of packages midori depends on:
ii  dbus-x11                 1.2.24-3        simple interprocess messaging syst
ii  dpkg                     1.15.8.6        Debian package management system
ii  libatk1.0-0              1.30.0-1        The ATK accessibility toolkit
ii  libc6                    2.11.2-7        Embedded GNU C Library: Shared lib
ii  libcairo2                1.8.10-6        The Cairo 2D vector graphics libra
ii  libdbus-1-3              1.2.24-3        simple interprocess messaging syst
ii  libdbus-glib-1-2         0.88-2          simple interprocess messaging syst
ii  libfontconfig1           2.8.0-2.1       generic font configuration library
ii  libfreetype6             2.4.2-2.1       FreeType 2 font engine, shared lib
ii  libglib2.0-0             2.24.2-1        The GLib library of C routines
ii  libgtk2.0-0              2.20.1-2        The GTK+ graphical user interface 
ii  libjs-mootools           1.2.5~debian1-2 compact JavaScript framework
ii  libnotify1 [libnotify1-g 0.5.0-2         sends desktop notifications to a n
ii  libpango1.0-0            1.28.3-1        Layout and rendering of internatio
ii  libsoup2.4-1             2.30.2-1        an HTTP library implementation in 
ii  libsqlite3-0             3.7.4-1         SQLite 3 shared library
ii  libunique-1.0-0          1.1.6-1.1       Library for writing single instanc
ii  libwebkit-1.0-2          1.2.5-2.1       Web content engine library for Gtk
ii  libx11-6                 2:1.3.3-4       X11 client-side library
ii  libxml2                  2.7.8.dfsg-1    GNOME XML library

Versions of packages midori recommends:
ii  gnome-icon-theme              2.30.3-2   GNOME Desktop icon theme

midori suggests no packages.

-- no debconf information

Secure testing team - Dec 2010 - Bug#607497: midori: Loads HTTPS with SSL errors without any notice

[Secure-testing-team] Bug#607497: midori: Loads HTTPS with SSL errors without any notice