[PATCH] wget: don't silently ignore certificate validation

jakub at jirutka.cz jakub at jirutka.cz
Sat May 26 15:39:29 UTC 2018


>> That's a crime against security!
> 
> Say what?

That’s a hyperbole. The thing is that when you don’t verify the peer’s 
certificate, then you’re vulnerable to MitM attack with fake certificate 
injection. The whole SSL/TLS is totally useless in that moment. It’s 
more or less like putting the door’s key under the carpet right in front 
of the door.

Allowing to bypass/ignore certificate verification is ok-ish in some 
situations, but only when the user do it consciously, using explicit 
option such as --no-check-certificate, not silently as the default 
option.

Jakub

On 2018-05-25 14:19, Denys Vlasenko wrote:
> On Thu, May 24, 2018 at 6:50 PM, Jakub Jirutka <jakub at jirutka.cz> 
> wrote:
>> Internal TLS code (FEATURE_WGET_HTTPS) does not implement validation
>> of the server's certificate.  It is documented in the code, but not
>> even mentioned in the --help message, so users typically don't know
>> about this behaviour.
> 
> 
>> That's a crime against security!
> 
> Say what?


More information about the busybox mailing list