[PATCH] wget: don't silently ignore certificate validation

Denys Vlasenko vda.linux at googlemail.com
Sat May 26 17:34:05 UTC 2018


wget should work for common use cases.
Such as downloading sources of kernels, gcc and such.
>From build scripts, not only by hand.
Without having to modify said scripts.
Your patch breaks that.
NAK.

I don't care that security people are upset.
They are paranoid, it's part of their profession.
It does not mean everybody else have to be as paranoid.

If you have a patch which adds actual cert checking
and thus does not introduce regressions, please post it.


On Sat, May 26, 2018 at 6:38 PM,  <jakub at jirutka.cz> wrote:
>> //config:       If you still think this is unacceptable, send patches.
>
>
> That’s exactly what I did.
> http://lists.busybox.net/pipermail/busybox/2018-May/086444.html
>
> Jakub
>
>
> On 2018-05-26 17:54, Denys Vlasenko wrote:
>>
>> On Sat, May 26, 2018 at 5:39 PM,  <jakub at jirutka.cz> wrote:
>>>>>
>>>>> That's a crime against security!
>>>>
>>>>
>>>> Say what?
>>>
>>>
>>> That’s a hyperbole. The thing is that when you don’t verify the peer’s
>>> certificate, then you’re vulnerable to MitM attack with fake certificate
>>> injection. The whole SSL/TLS is totally useless in that moment. It’s more
>>> or
>>> less like putting the door’s key under the carpet right in front of the
>>> door.
>>>
>>> Allowing to bypass/ignore certificate verification is ok-ish in some
>>> situations, but only when the user do it consciously, using explicit
>>> option
>>> such as --no-check-certificate, not silently as the default option.
>>
>>
>> wget.c:
>>
>> //config:       If you still think this is unacceptable, send patches.
>> //config:
>> //config:       If you still think this is unacceptable, do not want to
>> send
>> //config:       patches, but do want to waste bandwidth explaining how
>> wrong
>> //config:       it is, you will be ignored.


More information about the busybox mailing list