UPDATE: The information here is no longer relevant, since most distro has packaged Elinks with TLS certificate validation enabled by default or this issue has been fixed upstream.
I found out recently that Elinks doesn't validate server certificate when connecting to HTTPS sites. Elinks behavior doesn't comply with section 3.2 of RFC5280: Certification Paths and Trust.
If you want to test this behavior, you can just use openssl
to create a private key and a self signed certificate and use s_server
to debug the connection. The following commands should suffice to generate self signed certificate.
openssl genrsa -out ./privkey.pem 2048
openssl req -new -sha256 -x509 -days 30 -subj '/CN=localhost' -key ./privkey.pem -out ./cert.crt
After the certificate has been created, you can just launch s_server
to serve the debugging information.
openssl s_server -key ./privkey.pem -cert ./cert.crt -HTTP -www
Openssl test server will listen on port 4433 and answer https request on that port.
Now, fire up another terminal and connect to https://localhost:4433
to test whether the browser will warn you before connecting to the test server or skip warning and just connect.
elinks https://localhost:4433
Elinks will happily connect to the test server, without informing the user of invalid certificate configuration. You can compare another browser behavior by connecting to the same Openssl test server and you should greeted by a warning before connecting to the test server.
X509 Public Key Infrastructure relies on certificate anchor to verify whether a certificate is trusted or not. If the verification process is skipped altogether, the user wouldn't know whether the certificate can be trusted or not. It's easy for malicious attacker to serve website with fake certificate or even self-signed one to fool Elinks users, since the text web browser doesn't verify the certificate provided by the server.
If you use Elinks to browse the world wide web and you care about security, turn on certificate validation. This can be accomplished per user basis via Menu -> Setup -> Miscellaneous Options -> SSL -> Verify Certificates
.
Press E
to edit the configuration and replace the default value with 1
to tell the browser that you only want to connect to websites with proper certificate. Don't forget to save the settings afterwards.
Don't worry about extra configuration, since most distributions has included 'CA Bundle' package, which contains trusted certificates from popular certificate authority.