Re: [dev] Re: [surf] Switching to webkit2 as default
Quoth Charles Lehner:
> I agree. The discussion of security also got me thinking that surf
> should probably do something about HTTPS certificate verification.
>
> From the article:
>
> > Old versions of Epiphany and Midori load pages even if certificate
> > verification fails; the verification result is only used to change the
> > status of a security indicator, basically giving up your session
> > cookies to attackers.
>
> I did a quick test visiting some sites with invalid certificates:
> surf-webkit1 and surf-webkit2 load them without any notice. So I am
> currently vulnerable to MitM attacks when using surf.
You can set strictssl to TRUE in config.h to fix this behaviour (at
least with the webkit1 surf; haven't looked at the webkit2 one yet).
Received on Sat Feb 06 2016 - 10:11:19 CET
This archive was generated by hypermail 2.3.0
: Sat Feb 06 2016 - 10:12:10 CET