[PATCH] wget: don't silently ignore certificate validation

Natanael Copa ncopa at alpinelinux.org
Sun May 27 18:03:03 UTC 2018


Denys,

Most common use case for https is to give some sort of guarantee that
you actually get what you think you get or that you get from who you
think you get it from. That is what most people expect when downloading
from https. If you don't care about verifying that, then the common use
case is to use http (without the 's').

Now, I think it is perfectly fine that some people does not care about
checking certificates, but in that case I think its reasonable to
explicitly tell that to wget. This is exactly what the GNU wget does
and this is what Jirutka's patch does. I am confident that this is what
the big majority would want from the tool.

Apparently there are strong opinions in both directions here what the
desired behavior should be, so I think it makes sense to have a config
option for this?

-nc


On Sat, 26 May 2018 19:34:05 +0200
Denys Vlasenko <vda.linux at googlemail.com> wrote:

> wget should work for common use cases.
> Such as downloading sources of kernels, gcc and such.
> From build scripts, not only by hand.
> Without having to modify said scripts.
> Your patch breaks that.
> NAK.
> 
> I don't care that security people are upset.
> They are paranoid, it's part of their profession.
> It does not mean everybody else have to be as paranoid.
> 
> If you have a patch which adds actual cert checking
> and thus does not introduce regressions, please post it.
> 
> 
> On Sat, May 26, 2018 at 6:38 PM,  <jakub at jirutka.cz> wrote:
> >> //config:       If you still think this is unacceptable, send patches.  
> >
> >
> > That*s exactly what I did.
> > http://lists.busybox.net/pipermail/busybox/2018-May/086444.html
> >
> > Jakub
> >
> >
> > On 2018-05-26 17:54, Denys Vlasenko wrote:  
> >>
> >> On Sat, May 26, 2018 at 5:39 PM,  <jakub at jirutka.cz> wrote:  
> >>>>>
> >>>>> That's a crime against security!  
> >>>>
> >>>>
> >>>> Say what?  
> >>>
> >>>
> >>> That*s a hyperbole. The thing is that when you don*t verify the peer*s
> >>> certificate, then you*re vulnerable to MitM attack with fake certificate
> >>> injection. The whole SSL/TLS is totally useless in that moment. It*s more
> >>> or
> >>> less like putting the door*s key under the carpet right in front of the
> >>> door.
> >>>
> >>> Allowing to bypass/ignore certificate verification is ok-ish in some
> >>> situations, but only when the user do it consciously, using explicit
> >>> option
> >>> such as --no-check-certificate, not silently as the default option.  
> >>
> >>
> >> wget.c:
> >>
> >> //config:       If you still think this is unacceptable, send patches.
> >> //config:
> >> //config:       If you still think this is unacceptable, do not want to
> >> send
> >> //config:       patches, but do want to waste bandwidth explaining how
> >> wrong
> >> //config:       it is, you will be ignored.  



More information about the busybox mailing list