Midori Web Browser

Failure to check TLS certificate hostname

Bug #1419351 reported by Christopher Head
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Midori Web Browser
New
Undecided
Unassigned

Bug Description

I put this in my hosts file to simulate a network-layer man-in-the-middle attack (note that the IP address is that of facebook.com):
173.252.120.6 google.com

I then typed “https://google.com/” into the Midori address bar and pressed Enter. I was presented with the Facebook homepage, without so much as a warning message or even an unlocked padlock icon. Now replace “facebook.com” with “evilhaxor.com” in the above description.

alias a=b; echo Copy carefully #bout:version

Version numbers in brackets show the version used at runtime.

Command line /usr/bin/midori
Midori 0.5.9 ((null)) Midori
GTK+ 3.12.2 (3.12.2) Glib 2.40.2 (2.40.2)
WebKit2GTK+ 2.4.7 (2.4.8) libSoup 2.46.0
cairo 1.12.16 (1.12.16) libnotify 0.7.5
gcr 3.12.2 granite No
Platform X11; Linux x86_64
Identification Mozilla/5.0 (X11; Linux) AppleWebKit/537.32 (KHTML, like Gecko) Chrome/18.0.1025.133 Safari/537.32 Midori/0.5

Netscape Plugins:

Shockwave Flash Shockwave Flash 11.2 r202
Google Talk Plugin Video Renderer Version: 5.4.2.0
Google Talk Plugin Version: 5.4.2.0
Java(TM) Plug-in 10.76.2 Next Generation Java Plug-in 10.76.2 for Mozilla browsers

Christopher Head (hawk777)
information type: Private Security → Public
information type: Public → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.