Elinks users, beware!

I found out recently that Elinks doesn't validate server certificate when connecting to HTTPS sites. Elinks behavior doesn't comply with section 3.2 of RFC5280: Certification Paths and Trust.

If you want to test this behavior, you can just use openssl to create a private key and a self signed certificate and use s_server to debug the connection. The following commands should suffice to generate self signed certificate.

openssl genrsa -out ./privkey.pem 2048

openssl req -new -sha256 -x509 -days 30 -subj '/CN=localhost' -key ./privkey.pem -out ./cert.crt

After the certificate has been created, you can just launch s_server to serve the debugging information.

openssl s_server -key ./privkey.pem -cert ./cert.crt -HTTP -www

Openssl test server will listen on port 4433 and answer https request on that port.

Now, fire up another terminal and connect to https://localhost:4433 to test whether the browser will warn you before connecting to the test server or skip warning and just connect.

elinks https://localhost:4433

Elinks will happily connect to the test server, without informing the user of invalid certificate configuration. You can compare another browser behavior by connecting to the same Openssl test server and you should greeted by a warning before connecting to the test server.

About X509 Public Key Infrastructure

X509 Public Key Infrastructure relies on certificate anchor to verify whether a certificate is trusted or not. If the verification process is skipped altogether, the user wouldn't know whether the certificate can be trusted or not. It's easy for malicious attacker to serve website with fake certificate or even self-signed one to fool Elinks users, since the text web browser doesn't verify the certificate provided by the server.

Protect Yourself!

If you use Elinks to browse the world wide web and you care about security, turn on certificate validation. This can be accomplished per user basis via Menu -> Setup -> Miscellaneous Options -> SSL -> Verify Certificates.

Press E to edit the configuration and replace the default value with 1 to tell the browser that you only want to connect to websites with proper certificate. Don't forget to save the settings afterwards.

Don't worry about extra configuration, since most distributions has included 'CA Bundle' package, which contains trusted certificates from popular certificate authority.

You may want to go back to website index.