I found out recently that Elinks doesn't validate server certificate when connecting to HTTPS sites. Elinks behavior doesn't comply with section 3.2 of RFC5280: Certification Paths and Trust.
If you want to test this behavior, you can just use
openssl to create a private key and a self signed certificate and use
s_server to debug the connection. The following commands should suffice to generate self signed certificate.
openssl genrsa -out ./privkey.pem 2048
openssl req -new -sha256 -x509 -days 30 -subj '/CN=localhost' -key ./privkey.pem -out ./cert.crt
After the certificate has been created, you can just launch
s_server to serve the debugging information.
openssl s_server -key ./privkey.pem -cert ./cert.crt -HTTP -www
Openssl test server will listen on port 4433 and answer https request on that port.
Now, fire up another terminal and connect to
https://localhost:4433 to test whether the browser will warn you before connecting to the test server or skip warning and just connect.
Elinks will happily connect to the test server, without informing the user of invalid certificate configuration. You can compare another browser behavior by connecting to the same Openssl test server and you should greeted by a warning before connecting to the test server.
X509 Public Key Infrastructure relies on certificate anchor to verify whether a certificate is trusted or not. If the verification process is skipped altogether, the user wouldn't know whether the certificate can be trusted or not. It's easy for malicious attacker to serve website with fake certificate or even self-signed one to fool Elinks users, since the text web browser doesn't verify the certificate provided by the server.
If you use Elinks to browse the world wide web and you care about security, turn on certificate validation. This can be accomplished per user basis via
Menu -> Setup -> Miscellaneous Options -> SSL -> Verify Certificates.
E to edit the configuration and replace the default value with
1 to tell the browser that you only want to connect to websites with proper certificate. Don't forget to save the settings afterwards.
Don't worry about extra configuration, since most distributions has included 'CA Bundle' package, which contains trusted certificates from popular certificate authority.
You may want to go back to website index.