From 9a4ba5c59035879b9780337ec38d08f092ef19bb Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 16 Feb 2008 04:19:30 -0500 Subject: [PATCH] web commit by https://brian.may.myopenid.com/: not checking ssl certificates --- doc/bugs/ssl_certificates_not_checked_with_openid.mdwn | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 doc/bugs/ssl_certificates_not_checked_with_openid.mdwn diff --git a/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn b/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn new file mode 100644 index 000000000..a35e1c842 --- /dev/null +++ b/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn @@ -0,0 +1,9 @@ +As far as I can tell, ikiwiki is not checking the SSL certificate of the remote host when using openid authentication. If so, this would allow for man-in-the-middle type attacks. Alternatively, maybe I am getting myself confused. + +Test #1: Enter URL as openid server that cannot be verified (either because the certificate is self signed or signed by an unknown CA). I get no SSL errors. + +Test #2: Download net_ssl_test from dodgy source (it uses the same SSL perl library, and test again. It seems to complain (on same site ikiwiki worked with) when it can't verify the signature. Although there is other breakage with the version I managed to download (eg. argument parsing is broken; also if I try to connect to a proxy server, it instructs the proxy server to connect to itself for some weird reason). + +For now, I want to try and resolve the issues with net_ssl_test, and run more tests. However, in the meantime, I thought I would document the issue here. + +-- Brian May