[Webkit-unassigned] [Bug 208192] [Curl] Add TLS debugging feature to log encryption keys

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Feb 26 12:25:34 PST 2020


Fujii Hironori <Hironori.Fujii at sony.com> changed:

           What    |Removed                     |Added
                 CC|                            |achristensen at apple.com,
                   |                            |bfulgham at webkit.org,
                   |                            |youennf at gmail.com

--- Comment #18 from Fujii Hironori <Hironori.Fujii at sony.com> ---
(In reply to Takashi Komori from comment #17)
> (In reply to Fujii Hironori from comment #16)
> > How do Chrome and Firefox deal with the great security hole?
> Other browsers don't seem to have a strong safety guard for this feature.
> In other words just setting the environment variable makes browsers start
> recording encryption keys into local PC.
> If the recorded keys is secure and not stolen, the feature itself is secure
> too.
> But we shouldn't assume all systems which use WebKit are implemented right
> and secure.
> So I think offering developers the disabling option is reasonable.

If it's possible for someone to steal file from PC, it's impossible to make the browser safe.

> Also I'm concerning browsers don't have any explicit way to reset or remove
> recorded keys.

I think it's enough to invoke command `rm $SSLKEYLOGFILE`.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200226/ef468e38/attachment.htm>

More information about the webkit-unassigned mailing list