[Surfraw-devel] Bug#856108: surfraw: most elvi use insecure URLs
Adam Borowski
kilobyte at angband.pl
Sat Feb 25 06:52:15 UTC 2017
Package: surfraw
Version: 2.2.9-1
Severity: normal
Hi!
All elvi point to http URLs, and at most sometimes allow an option to use
"experimental" SSL support with an old URL, such as wikipedia:
https://secure.wikimedia.org/wikipedia/$LANG/w/index.php?search=%s&go=Go
instead of https://$LANG.wikipedia.org/wiki/%s
I've checked ~10 at random, all of them not only support https as the
primary URL but even redirect http to https.
Thus, giving the query over http is strictly harmful: it allows an attacker
to spy on and/or redirect your queries, slows down the connection (there's
the redirect first) and gives no benefit in case either your browser or the
server has SSL problems, as the redirect will block access to http anyway.
So, please switch all sites to https.
More information about the Surfraw-devel
mailing list