[Webkit-unassigned] [Bug 208192] [Curl] Add TLS debugging feature to log encryption keys
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Feb 26 12:25:34 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=208192
Fujii Hironori <Hironori.Fujii at sony.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |achristensen at apple.com,
| |bfulgham at webkit.org,
| |youennf at gmail.com
--- Comment #18 from Fujii Hironori <Hironori.Fujii at sony.com> ---
(In reply to Takashi Komori from comment #17)
> (In reply to Fujii Hironori from comment #16)
> > How do Chrome and Firefox deal with the great security hole?
>
> Other browsers don't seem to have a strong safety guard for this feature.
> In other words just setting the environment variable makes browsers start
> recording encryption keys into local PC.
>
> If the recorded keys is secure and not stolen, the feature itself is secure
> too.
> But we shouldn't assume all systems which use WebKit are implemented right
> and secure.
> So I think offering developers the disabling option is reasonable.
If it's possible for someone to steal file from PC, it's impossible to make the browser safe.
> Also I'm concerning browsers don't have any explicit way to reset or remove
> recorded keys.
I think it's enough to invoke command `rm $SSLKEYLOGFILE`.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200226/ef468e38/attachment.htm>
More information about the webkit-unassigned
mailing list