Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I guess if you use lynx to surf to http basic auth URLs you should switch to another browser until a security update is available. But I'm inclined to say while this is an interesting bug I don't think that's an incredibly common scenario.

Update: It seems there's a preliminary patch that will not fix http auth URLs, but will prevent the info leak: https://www.openwall.com/lists/oss-security/2021/08/07/7



Plain auth websites are pretty uncommon these days. That said, if using other authentication methods are annoying or inconvenient in Lynx (I don't know, I've never used it) then there may be some correlation between Lynx users and plain auth websites meaning this could impact a large fraction of Lynx the userbase.


Http basic authentication urls are never secure (that requires https) and are not supported in links by browsers these days.


This bug only affects HTTPS basic auth, given that the issue is with SNI (and, of course, that basic auth over HTTP doesn’t have any encryption to leak around).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: