Re: IE https certificate attack

From: Jim Knoble (jmknobleat_private)
Date: Mon Jan 07 2002 - 15:22:02 PST

Next message: Bjorn Djupvik: "svindel.net security advisory - web admin vulnerability in CacheOS"

Previous message: Nick FitzGerald: "Re: ICQ remote buffer overflow vulnerability"
In reply to: Helmut Springer: "Re: IE https certificate attack"
Next in thread: Ben Laurie: "Re: AW: IE https certificate attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Circa 2002-Jan-06 10:04:23 +0100 dixit Helmut Springer:

: On 03 Jan 2002 at 15:04 +0100, K.J.Muellerat_private wrote:
: > - w3m 0.1.11-pre
: 
: Curent is w3m-0.2.3.2 and ssl_verify_server was added 2000.4.21.

Yes, but as of w3m-0.2.4, SSL server verification is disabled at
compile-time by default.  It's necessary to explicitly enable it,
either by using the interactive mode of the configure script, or by
#defining USE_SSL_VERIFY in config.h after a non-interactive configure
ande before compiling.

You can check whether your w3m has SSL server verification enabled
using:

  w3m -version

If "ssl-verify" appears in the version output, then w3m has SSL server
verification enabled.

And even if SSL server verification is enabled, it's not turned on by
default.  You can turn it on via w3m's options screen (press 'o'
[lowercase letter Oh]).

-- 
jim knoble | jmknobleat_private   | http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)

application/pgp-signature attachment: stored

Next message: Bjorn Djupvik: "svindel.net security advisory - web admin vulnerability in CacheOS"
Previous message: Nick FitzGerald: "Re: ICQ remote buffer overflow vulnerability"
In reply to: Helmut Springer: "Re: IE https certificate attack"
Next in thread: Ben Laurie: "Re: AW: IE https certificate attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 14:28:06 PST