Posted Fri, 17 Jan 2014 16:43:42 +0100 in reply to
David Nadlinger
Am 17.01.2014 16:09, schrieb David Nadlinger:
Hi all,
I just wanted to make sure everybody is aware of this critical bug in the SSL client implementations (HTTPS, SMTP/TLS, …): https://github.com/rejectedsoftware/vibe.d/issues/469
It results in the connection being vulnerable to man-in-the-middle attacks, as any valid certificate will be accepted by the client code, even if it is not issued for the correct host name/IP.
Best,
David
(As I'm not aware of any production vibe.d deployments where this could be an exploitable issue yet, I chose to immediately publish this. If anybody wants me to follow usual Responsible Disclosure procedures in the future, please let me know, although this should also be documented on vibed.org.)
I'm aware of this issue and should indeed (have) add(ed) a big
exclamation mark somewhere right from the start, mentioning that this
isn't implemented. It's one of the things that I didn't tackle yet,
because it wasn't important for my own applications and it doesn't
impact the usual server applications, so I viewed it more as a missing
feature rather than a security issue.
It should also be noted that not only host verification must be
performed, but also the certificate chain needs to be checked against
some root CA list (on Windows, is there anything available or is it
necessary to ship an own list?).
This will have high priority in my task queue.
