Bug#702976: epiphany-browser: domainname not checked on https
Josselin Mouette
joss at debian.org
Wed Mar 13 22:23:22 UTC 2013
Le mercredi 13 mars 2013 à 17:29 +0100, Christoph Anton Mitterer a
écrit :
> It seems that epiphany does at least not check the domainname correctly
> when connection to a site via https.
>
> For example, when I go to:
> https://physik.lmu.de/~mitterer/
> it redirects me automatically to
> https://homepages.physik.uni-muenchen.de/~mitterer/
> without any complaining.
I don’t even see it as a bug.
Epiphany treats the first site as a self-signed one, which thus has the
same level of security as a non-encrypted connection.
When you are redirected, however, it is the responsibility of the user
to check the domain name the connection is certified for. The fact that
a connection is encrypted does not mean anything else that “you are
actually connecting to this domain”. If you can’t trust the domain, you
can’t trust the connection.
You could argue that, when faced with a non-certified https connection,
epiphany should not follow redirections without a warning, but I’m not
even sure upstream would agree, and I definitely don’t think this is a
RC bug.
Cheers,
--
.''`. Josselin Mouette
: :' :
`. `'
`-
More information about the pkg-gnome-maintainers
mailing list