[PATCH] wget: don't silently ignore certificate validation

[Denys Vlasenko]

On Sun, May 27, 2018 at 8:55 PM, Michael Conrad <mconrad at intellitree.com> wrote:
> The story just broke earlier this year how a casino hotel "smart
> thermometer" in the fish tank was used as a backdoor to attack the rest of
> their network.
>
> If a smart device running busybox is programmed to automatically check for
> firmware updates, the designers might expect HTTPS to be a valid form of
> security to know that they were accessing their own servers.  If they don't
> write a test case to verify that certificates are checked, it's shoddy work,
> but there's a lot of shoddy work in smart devices.
>
> In such a scenario, anyone on the same wifi would be able to overwrite the
> firmware of the device.  This almost deserves a CVE number.

Anyone on the same wifi can wreak total havoc on the entire network
by messing with ARP, routing and DHCP. If you care that much,
you must not allow untrusted users on your local network.