HTTrack Website Copier
Free software offline browser - FORUM
Subject: Re: httrack fails to copy HTTPS host with AUTH + SNI
Author: Joel Brunenberg
Date: 03/20/2017 09:10
 
I thought about this on the weekend some more and I am now convinced that this
is a very serious security problem more than a functional bug. 

Leaking the Credentials into SNI is presenting it to attackers on the network
in clear text as well as producing a Protocol violation that is most probably
logged on the server side in clear text. So we bypass the encryption during
transmission and with some reasonable probability create a permanent record of
the username and password by causing a protocol violation (admitted, this is
not httrack's fault really, but still serious).

I am quite surprised that I can not find this mentioned before in the forums.
Either this is some flaw with the version I am using (will check with the
latest source) or noone seems to use httrack for websites requiring
authentication via SSL and SNI. 

Really strange
 
Reply Create subthread


All articles

Subject Author Date
httrack fails to copy HTTPS host with AUTH + SNI 03/17/2017 16:31
Re: httrack fails to copy HTTPS host with AUTH + SNI 03/20/2017 09:10




2

Created with FORUM 2.0.11