Re: [Bug-wget] [bug #51666] Please hash the hostname in ~/.wget-hsts files

[Tim Rühsen]

On Freitag, 18. August 2017 14:51:12 CEST Ander Juaristi wrote:
> Follow-up Comment #2, bug #51666 (project wget):
> 
> I'm not generally against these kind of small tweaks that don't harm and
> slightly improve user's privacy.
> 
> If Firefox doesn't do it, we don't care: it's their business and they will
> end up doing it if users request that feature (maybe because they saw it in
> wget).
> 
> Private SSH keys can be protected with a password if you want to.

As long as it is optional...

It would be nice being file compatible with Firefox (at least reading Firefox 
HSTS db).
Maybe the sqlite backend that has been mentioned earlier should then work with 
the same settings (hashed/not hashed).

> We can do both, hash and still keep the readable to the user only. If the
> overhead is not much I would go for it. That is the basis of every security
> framework out there: if the benefits of having 2 security mechanisms instead
> of only 1 outweigh the drawbacks, then implement 2 instead of 1.

Absolutely, but in this special case you open up a can of worms. From a 
security standpoint, the average home directory is a nightmare. Once someone 
gets access to it (read or write)...

Regards, Tim

signature.asc
Description: This is a digitally signed message part.

[Bug-wget] [bug #51666] Please hash the hostname in ~/.wget-hsts files

[Ander Juaristi]

Follow-up Comment #3, bug #51666 (project wget):

> We can do both, hash and still keep the readable to the user only

... hash and still keep the _files_ readable ...



___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Bug-wget] [bug #51666] Please hash the hostname in ~/.wget-hsts files

[Ander Juaristi]

Follow-up Comment #2, bug #51666 (project wget):

I'm not generally against these kind of small tweaks that don't harm and
slightly improve user's privacy.

If Firefox doesn't do it, we don't care: it's their business and they will end
up doing it if users request that feature (maybe because they saw it in
wget).

Private SSH keys can be protected with a password if you want to.

> While we could hash anything, it would be way safer for you to protect your
complete home directory

We can do both, hash and still keep the readable to the user only. If the
overhead is not much I would go for it. That is the basis of every security
framework out there: if the benefits of having 2 security mechanisms instead
of only 1 outweigh the drawbacks, then implement 2 instead of 1.



___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

Re: [Bug-wget] wget --secure-protocol=SSLv2 --certificate=/home/www/html/paj/key2.pem --certificate-type=PEM https://85.133.186.11:7878/ipgapp/services/IPGService?wsd

[Ander Juaristi]

I'm sure you'll understand it's difficult to troubleshoot that from our side
without having a copy of your client certificate.

I've visited the URL and *I think* the site issues a non-standard root (CA)
certificate, so if that's the case you would need to tell wget to accept that
cert as a CA. You do that with --ca-certificate.

However, from the error messages it seems more likely that either the cert file
you're using is invalid, malformed or you entered an incorrect password.

On 06/08/17 16:50, Nasrollah Mohammadi wrote:
> wget --secure-protocol=SSLv2 --certificate=/home/www/html/paj/key2.pem
>--certificate-type=PEM
>https://85.133.186.11:7878/ipgapp/services/IPGService?wsdl
>--2017-08-06 22:22:07--
>https://85.133.186.11:7878/ipgapp/services/IPGService?wsdl
>Enter PEM pass phrase:
>OpenSSL: error:06065064:digital envelope
>routines:EVP_DecryptFinal_ex:bad decrypt
>OpenSSL: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12
>cipherfinal error
>OpenSSL: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12
>pbe crypt error
>OpenSSL: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
>OpenSSL: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
>lib
>Disabling SSL due to encountered errors.
>