Vigil@nce - WebKitGTK+: late check of X.509 certificate
April 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, owning a TLS server, can invite a WebKitGTK+ client
to connect, in order to capture information about the client.
– Impacted products: Fedora, Unix (platform), WebKit
– Severity: 1/4
– Creation date: 30/03/2015
DESCRIPTION OF THE VULNERABILITY
The WebKitGTK+ product implements a TLS client.
However, this client only checks the certificate after sending its
HTTP query.
An attacker, owning a TLS server, can therefore invite a
WebKitGTK+ client to connect, in order to capture information
about the client.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/WebKitGTK-late-check-of-X-509-certificate-16489