Re: httrack fails to copy HTTPS host with AUTH + SNI

Subject: Re: httrack fails to copy HTTPS host with AUTH + SNI

Author: Joel Brunenberg

Date: 03/20/2017 09:10

I thought about this on the weekend some more and I am now convinced that this
is a very serious security problem more than a functional bug. 

Leaking the Credentials into SNI is presenting it to attackers on the network
in clear text as well as producing a Protocol violation that is most probably
logged on the server side in clear text. So we bypass the encryption during
transmission and with some reasonable probability create a permanent record of
the username and password by causing a protocol violation (admitted, this is
not httrack's fault really, but still serious).

I am quite surprised that I can not find this mentioned before in the forums.
Either this is some flaw with the version I am using (will check with the
latest source) or noone seems to use httrack for websites requiring
authentication via SSL and SNI. 

Really strange

Create subthread

All articles

Subject	Author	Date
httrack fails to copy HTTPS host with AUTH + SNI		03/17/2017 16:31
Re: httrack fails to copy HTTPS host with AUTH + SNI		03/20/2017 09:10