Re: [dev] Re: [surf] Switching to webkit2 as default

From: Nick <suckless-dev_AT_njw.me.uk>
Date: Sat, 6 Feb 2016 09:11:19 +0000

Quoth Charles Lehner:
> I agree. The discussion of security also got me thinking that surf
> should probably do something about HTTPS certificate verification.
>
> From the article:
>
> > Old versions of Epiphany and Midori load pages even if certificate
> > verification fails; the verification result is only used to change the
> > status of a security indicator, basically giving up your session
> > cookies to attackers.
>
> I did a quick test visiting some sites with invalid certificates:
> surf-webkit1 and surf-webkit2 load them without any notice. So I am
> currently vulnerable to MitM attacks when using surf.

You can set strictssl to TRUE in config.h to fix this behaviour (at
least with the webkit1 surf; haven't looked at the webkit2 one yet).
Received on Sat Feb 06 2016 - 10:11:19 CET

This archive was generated by hypermail 2.3.0 : Sat Feb 06 2016 - 10:12:10 CET