Hi, Here's the https-relevant part of a private email: ---------- Forwarded message ---------- Date: Wed, 7 Jul 2004 10:25:24 -0400 (CLT) From: Jorge Arellano Cid <jcid@dillo.org> To: Brett Wynkoop <wynkoop@wynn.com> Subject: Re: dillo 0.8.2rc2 On Wed, 7 Jul 2004, Brett Wynkoop wrote:
[...] I was surprised that there is no SSL support. I remember a recent release used wget for ssl. Is there any way to re-enable that on the current release?
The problem is that our former plugin didn't do certificate authentication (among other things commented in the code). As the Dillo project takes security seriously, it was withdrawn from the newer releases... In other words, the https dpi allowed the user to see https URLs, but there was no security backing it. I know that some big browsers had the same bug for years, before it was made public. This allowed for instance, man-in-the-middle attacks by faking the destination site. Https is a very complex matter, and I'd rather prefer not to assert ours will be flawless. The least we can do is not to release one we know is broken. I hope we can make a good https dpi soon. If you want to use it anyway, assuming the risks, just get the https.c from 0.8.0 and drop it into the new tree. You will not even be able to post or send forms, but it'll allow to read some https forums. Atentamente Jorge.-