Re: lynx-dev Patch for SSL warning

[David Woolley]

>   should be supressed by default. It didn't occur in OpenSSL until 3 months
>   ago (lynx.cfg, lyrcfile.h, lyreadcfg.c and http.[ch])

Lynx was broken from a security point of view until a few months ago.  It
failed to authenticate the server.

> +.h2 SSL_IGNORE_CERT_ERROR
> +# Ignore errors from OpenSSL saying "unable to get local issuer certificate
> +# Only affects https sites. Lynx must be compied with USE_SSL for this

Typo on compiled.

> +# setting to take effect.

You should include a warning that this makes Lynx vulnerable to man in the
middle attacks and impostor sites.

> +#
> +#SSL_IGNORE_CERT_ERROR:TRUE

NO NO NO NO. The default should be secure.  Suppressing symptoms of security
problems is a very bad cure for those problems.

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden