[PATCH] wget: don't silently ignore certificate validation

Denys Vlasenko vda.linux at googlemail.com
Sat May 26 15:54:16 UTC 2018


On Sat, May 26, 2018 at 5:39 PM,  <jakub at jirutka.cz> wrote:
>>> That's a crime against security!
>>
>> Say what?
>
> That’s a hyperbole. The thing is that when you don’t verify the peer’s
> certificate, then you’re vulnerable to MitM attack with fake certificate
> injection. The whole SSL/TLS is totally useless in that moment. It’s more or
> less like putting the door’s key under the carpet right in front of the
> door.
>
> Allowing to bypass/ignore certificate verification is ok-ish in some
> situations, but only when the user do it consciously, using explicit option
> such as --no-check-certificate, not silently as the default option.

wget.c:

//config:       If you still think this is unacceptable, send patches.
//config:
//config:       If you still think this is unacceptable, do not want to send
//config:       patches, but do want to waste bandwidth explaining how wrong
//config:       it is, you will be ignored.


More information about the busybox mailing list