[PATCH] wget: don't silently ignore certificate validation
Xabier Oneca -- xOneca
xoneca at gmail.com
Mon May 28 06:43:31 UTC 2018
Hello,
> The justification for including HTTPS in the first place:
> https://git.busybox.net/busybox/tree/networking/wget.c?id=8bc418f07eab79a9c8d26594629799f6157a9466#n74
>
> "my small automatic tooling to build cross-compilers from sources no
> longer works, I need to additionally keep a local copy of ~4 megabyte
> source tarball of a SSL library and ~2 megabyte source of wget, need to
> compile and built both before I can download anything. All this despite
> the fact that the build is done in a QEMU sandbox on a machine with
> absolutely nothing worth stealing, so I don't care if someone would go
> to a lot of trouble to intercept my HTTPS download to send me an
> altered kernel tarball"
>
> This is incredibly terrible logic, your cross-compiler is now infected
> with malicious code. The purpose of compiling code is *usually* to use
> it, which means that wherever you use that code, you're no longer in a
> QEMU sandbox, and whichever real box you use it on, can now say hello to
> unlimited arbitrary code execution.
Well, I see it as "some servers no longer allow to download through
HTTP because they redirect to HTTPS first, so I need a tool which
speaks SSL". In this case, I see the reasoning behind that comment is
acceptable.
Cheers,
Xabier Oneca_,,_
More information about the busybox
mailing list