[PATCH] wget: don't silently ignore certificate validation

Eli Schwartz eschwartz at archlinux.org
Sun May 27 15:58:07 UTC 2018


On 05/26/2018 01:34 PM, Denys Vlasenko wrote:
> wget should work for common use cases.
> Such as downloading sources of kernels, gcc and such.
> From build scripts, not only by hand.
> Without having to modify said scripts.
> Your patch breaks that.
> NAK.
> 
> I don't care that security people are upset.
> They are paranoid, it's part of their profession.
> It does not mean everybody else have to be as paranoid.
> 
> If you have a patch which adds actual cert checking
> and thus does not introduce regressions, please post it.

It's unacceptable that for something which you see as primarily useful
in downloading very important source code, you simply don't care that
the source code may be compromised by a MITMed attack.

> On Sat, May 26, 2018 at 6:38 PM,  <jakub at jirutka.cz> wrote:
>>> //config:       If you still think this is unacceptable, send patches.
>>
>>
>> That’s exactly what I did.
>> http://lists.busybox.net/pipermail/busybox/2018-May/086444.html
>>
>> Jakub
>>
>>
>> On 2018-05-26 17:54, Denys Vlasenko wrote:
>>> On Sat, May 26, 2018 at 5:39 PM,  <jakub at jirutka.cz> wrote:
>>>>>> That's a crime against security!
>>>>> Say what?
>>>>
>>>>
>>>> That’s a hyperbole. The thing is that when you don’t verify the peer’s
>>>> certificate, then you’re vulnerable to MitM attack with fake certificate
>>>> injection. The whole SSL/TLS is totally useless in that moment. It’s more
>>>> or
>>>> less like putting the door’s key under the carpet right in front of the
>>>> door.
>>>>
>>>> Allowing to bypass/ignore certificate verification is ok-ish in some
>>>> situations, but only when the user do it consciously, using explicit
>>>> option
>>>> such as --no-check-certificate, not silently as the default option.

The justification for including HTTPS in the first place:
https://git.busybox.net/busybox/tree/networking/wget.c?id=8bc418f07eab79a9c8d26594629799f6157a9466#n74

"my small automatic tooling to build cross-compilers from sources no
longer works, I need to additionally keep a local copy of ~4 megabyte
source tarball of a SSL library and ~2 megabyte source of wget, need to
compile and built both before I can download anything. All this despite
the fact that the build is done in a QEMU sandbox on a machine with
absolutely nothing worth stealing, so I don't care if someone would go
to a lot  of trouble to intercept my HTTPS download to send me an
altered kernel tarball"

This is incredibly terrible logic, your cross-compiler is now infected
with malicious code. The purpose of compiling code is *usually* to use
it, which means that wherever you use that code, you're no longer in a
QEMU sandbox, and whichever real box you use it on, can now say hello to
unlimited arbitrary code execution.

-- 
Eli Schwartz
Bug Wrangler and Trusted User


More information about the busybox mailing list