💾 Archived View for station.martinrue.com › acidus › efc36ab964dc4da292bb95f031217b37 captured on 2023-04-20 at 00:49:47. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-03-20)

➡️ Next capture (2023-05-24)

🚧 View Differences

-=-=-=-=-=-=-

👽 acidus

there is an interesting and serious security vulnerability in OpenSSL that may impact Gemini servers. basically a Malformed certificate can cause a crash to a program using OpenSSL to read it. Gemini uses client side certificates, so I can create a malformed client side and connect to random Gemini capsides and send it as part of the TLS handshake. this could crash the Gemini server.

to be clear I think TLS in Gemini is A Good Thing (tm). this is the biggest issue in 6 years which shows how far OpenSSL has come. but it does show how the security of a system is a union of the security of its parts

https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

5 months ago · 👍 eaplmx, prk, oofbar, tm85

Links

[1] https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

Actions

👋 Join Station

4 Replies

👽 slondr

Score 1 for those of use not using OpenSSL · 5 months ago

👽 dimkr

Yet another reason to host capsules on ESP32 with mbedtls · 5 months ago

👽 acidus

ahhh. looks like a self-signed cert, which virtually all client-side certs used in Gemini clients are, will not activate the vulnerable code path.

https://github.com/colmmacc/CVE-2022-3602 · 5 months ago

👽 eaplmx

Wow, thanks for sharing. I also thing that TLS is good for privacy reasons, so I guess it's a good moment to update OpenSSL... 🤔 · 5 months ago