plateaukao
commented
7 months ago @andrew-aitchison EinkBro does not run on Windows platform.
Closed andrew-aitchison closed 7 months ago
plateaukao
commented
7 months ago @andrew-aitchison EinkBro does not run on Windows platform.
andrew-aitchison
commented
7 months ago EinkBro does not run on Windows platform.
True.
But when running on Android and viewing those pages, the server forced EinkBro to do something that other browsers refuse to do because it would be a security risk.
plateaukao
commented
7 months ago @andrew-aitchison What do you mean by "the server forced EinkBro to do something that other browsers refuse to do"? The vulnerability only happens on Windows platform. And EinkBro does not run on Windows. I don't get what you mean by what servers forced EinkBro to do what.
plateaukao
commented
7 months ago @andrew-aitchison I find out something different here. You could turn on Settings > Behavior > Show SSL error dialog in EinkBro. In this way, it will pass the check. (when loading the site, and it says something wrong with SSL, please click on cancel).
plateaukao
commented
7 months ago @andrew-aitchison Since this can be turned on an option in settings to fulfill the check, I will close this issue.
andrew-aitchison
commented
7 months ago What do you mean by "the server forced EinkBro to do something that other browsers refuse to do"?
EinkBro displays/runs the page set in reply to the request for https://www.ssllabs.com:10446/ Other browsers now give a warning message and do not display that page. Before Microsoft fixed this vulnerability some Windows browsers were displaying the page.
The vulnerability only happens on Windows platform. And EinkBro does not run on Windows. I don't get what you mean by what servers forced EinkBro to do what.
No. The vulnerability is showing any page that gives that warning. https://www.ssllabs.com:10446/ is not actually dangerous, but it could have included javascript that would do something nasty and many browsers on an unpatched Windows system would have displayed the page, including running the javascript or other malicious code without warning you first.
I find out something different here. You could turn on Settings > Behavior > Show SSL error dialog in EinkBro. In this way, it will pass the check. (when loading the site, and it says something wrong with SSL, please click on cancel).
Thanks. That is good. I can see that an error dialog on an E-Ink display might be slower and more intrusive than on an LCD display, but that dialog should always be shown. It might be OK to have a setting to turn it off, but please make the default to show that dialog.
EinkBro gives the message:
"Certificate date is invalid." - The certificate of the site
is not trusted. Proceed anyway?
CANCEL OKOther browsers give messages which are more scary and more likely to make users think carefully before selecting "OK".
For example Firefox gives the message:
An error occurred during a connection to www.ssllabs.com:10446. security library: improperly formatted DER-encoded message.
Error code: SEC_ERROR_BAD_DER
The page you are trying to view cannot be shown because the
authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.Learn more… Try Again
I consider "improperly formatted DER-encoded message" a more worring warning than "Certificate date is invalid."
Similarly (at least on Linux) Microsoft Edge gives the error: Your connection isn't private Attackers might be trying to steal your information from www.ssllabs.com (for example, passwords, messages or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
Advanced RefreshIf you click on "Advanced" you get additional text: www.ssllabs.com uses encryption to protect your information. When Microsoft Edge tried to connect to www.ssllabs.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be www.ssllabs.com, or a WiFi sign-in screen has interrupted the connection. Your information is still secure because Microsoft Edge stopped the connection before any data was exchanged.
You can't visit www.ssllabs.com at the moment because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.
As well as making "Show SSL error dialog in EinkBro" the default, please could you make the dialog warning stronger and add at least one more click before displaying the insecure page and potentially running any dangerous code.
Thanks,
plateaukao
commented
7 months ago @andrew-aitchison I set the warning dialog as default now and rephrase the warning message too in the dialog to make it more intimidating. However, I do not want to show two step warning dialogs. One dialog should be enough from my point of view. If second click is better, what about third click, fourth click, or just reject user's request to view the content? I think it's user's responsibility to check the dialog, or the website's responsibility to make sure it's not a false alarm or cause these certificate issues, instead of adding un-necesary UI on browser to block user in a even more inconvenient way.
andrew-aitchison
commented
7 months ago Thanks; a great improvement.
wra1w0
commented
6 months ago On my Onyx Boox Page with Android 11 (but not on Pixel with Android 13), I encounter this error consistently on every other page (e.g., on GitHub) when the option to display the warning is enabled. Also, on some pages, I get this error multiple times, even if I press on OK or Cancel. Some pages don't even load, and I have a blank screen. Sometimes, the app freezes, and I need to restart it.
Samsung A24 Android 13 EinkBro Version 10 17.0.
View the page https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html this claims that the browser is vulnerable to CVE-2020-0601 (CurveBall) and gives a link https://www.ssllabs.com:10446/ to another test for this vulnerability which also fails.
I've tried Android Web viewer, Google Chrome, Firefox and Samsung Internet browsers on the same device. They all show Your user agent is not vulnerable for CurveBall on this page.
The details of the CVE suggest that the issue is in a (Windows) system library; since none of the other browsers I have tested appears vulnerable I don't think that is the problem here.