Hacker News new | past | comments | ask | show | jobs | submit login
This URL crashes Chrome/Chromium (cmrg.net)
24 points by reirob on March 4, 2014 | hide | past | favorite | 33 comments



Flagged. That's pretty annoying reirob; I assumed that would be a link to an article about the URL, since just crashing my browser was obviously a bad thing to do.

Question to downvoters: You don't ever click down the list of Hacker News submissions without thinking too hard first, or you don't think crashing my browser (and losing any state I had in them) is annoying?


Well, I have got it from Fefe's blog [1] directly as the link. I tried it out before submitting, i.e. I opened a Chromium browser and put the link. The title says what it does - I do not think it is link bait. And Fefe's blog gives as explanation (rough translation from German): The TLS handshake of this site kills Chrome browser.

I too want to know what goes on and I actually think that HN IS the place to submit this kind of bugs.


You shouldn't be using an insecure browser such as Google Chrome in the first place.


...I didn't think that one through.


Well... nobody can say the title is misleading.


I didn't try it in Chrome, but in Firefox I get the following. Is that right?

Secure Connection Failed

An error occurred during a connection to demo.cmrg.net. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.


Anyone explain what it does to chrome?

I'm using chrome on android, and it doesn't crash and the lock icon info doesn't show anything that jumps out as wrong.. ?


According to Fefe [1] (in German) it is the TLS Handshake.

[1] http://blog.fefe.de/?ts=adeb1bd6


Document explaining the root of the weakness in the TLS protocol: https://secure-resumption.com/

Blog from Chrome- and TLS developer Adam Langley: https://www.imperialviolet.org/2014/03/03/triplehandshake.ht...


Those links just talk about some weakness, I don't see anything saying they're related to the crash.


This also works in a html file with an img tag:

<img src="https://demo.cmrg.net/">


Firefox says

SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.


(Error code: ssl_error_weak_server_ephemeral_dh_key)


Both links and wget don't complain though.


It didn't crash Chrome for me, but that's because I was using an out of date version.



The crash is caused by very short parameters for diffie hellman key exchanges in TLS. I did some further tests on that: https://dh.tlsfun.de/

Here's what I found in my blog: http://blog.hboeck.de/archives/841-Diffie-Hellman-and-TLS-wi...


IE11 gives a page can't be displayed. Investigating console reveals "code on this page disabled back and forward caching".


I thought the process-per-tab thing was meant to stop this sort of thing from taking the whole browser down.


That helps when the website code itself is malicious/broken. This crash is due a bug in the underlying TLS code itself. I don't think TLS is sandboxed or separated-per-tab, nor should it expectedly be.



exactly what I came here to post.


I'm not entirely sure what I expected when I clicked this.


Crashed Chromium 33.0.1750.117 x86_64 built on Gentoo.


Crashes Chrome 33.0.1750.146 on OSX 10.9.1


Fell for it. I see what you did there...


Opera 12 shows a big warning dialog warning the user that the site uses outdated and unsafe encryption.


It didn't crash Chromium for me. Arch Linux, Chromium 28.


Seems like a regression in the latest (33).


Crashed Chrome Version 33.0.1750.146 m on Windows 8.0.


Btw. it didn't just crash the sandbox.


Opera 20 on Windows. Boom!


Stop posting a direct link that crashes the whole web browser, that is down right malicious!

It's some sort of regression and a patch is already in review: https://codereview.chromium.org/178003011/

Stop karma whoring with this irresponsible shit.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: