I wrote:
noname wrote:
SSL3 and compression are not the main issue. HTTPS in dillo is completely broken because it does not check for domain name in the certificate. hg tip has checking code copied from wget and current dillo release has no code for it at all. It means that Dillo accepts any valid certificate as a certificate for, let's say, gmail. You can get one from StartSSL for free and test, it works.
Right, I hadn't wanted to do any real New Work for 3.0.5 that would require a somewhat higher level of scrutiny and testing, but all right, I'll take a look at gluing that stuff into the https dpi.
Adapted the name checking to fit into the dpi, plus server name indication while I was at it. Looks like it may be working. I'll push the code to the server later if you can promise to help give it heavy testing in coming days. When you're browsing, if you just change http to https, so many sites that don't expect TLS connections will offer up certificates that are broken in some way. And then try the various cancel/continue combinations...