]> ruderich.org/simon Gitweb - tlsproxy/tlsproxy.git/blobdiff - README
ruderich.org/simon / tlsproxy / tlsproxy.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
README: Add KNOWN ISSUES with a minor Firefox problem.
[tlsproxy/tlsproxy.git] / README
diff --git a/README b/README
index 444bec794b59e0573ac4b69f8bc13cc26c665aa5..e60190c8a175c0700bb83575933f1b9c29e5da87 100644 (file)
--- a/README
+++ b/README
@@ -84,3 +84,15 @@ link on a different site) then the proxy just forwards the TLS connection
 (because it doesn't know the fingerprint for https://www.example.org/, that's
 how '-u' works) and you won't be aware that a different server certificate
 might be used!
+
+If you always verify the authentication of the connection this isn't a
+problem, but if you only check if it's a HTTPS connection then this attack is
+possible.
+
+
+KNOWN ISSUES
+------------
+
+- Firefox (at least Iceweasel 3.5.16 on Debian) fails to load the error page
+  sent with the "invalid" certificate once the certificate has been accepted.
+  As the user shouldn't accept the invalid certificate this is a minor issue.
Certificate verifying tlsproxy, prevents MITMs by (manipulated) CAs by verifying the server certificate.