Bug#745836: wget: certificate revocation is not checked
Control: found -1 1.16-1 Control: tag -1 + upstream Control: clone -1 -2 Control: severity -1 wishlist Control: retitle -2 wget manpage doesn't warn that certificate revocation lists are not checked Hi, [hoping I got all the Control stanzas right..] Vincent Lefevre wrote (28 Apr 2014 09:11:42 GMT) : It's a bug because it doesn't behave as documented [...] OK, thanks for the clarification. Then, keeping #745836 as a wishlist bug to track the missing feature, and creating a clone about the more important (and more likely to be fixed here) documentation bug. Regarding the missing feature, you might have better chances of seeing this resolved by reporting it upstream :) (I've checked there [1] and could not find it.) [1] https://savannah.gnu.org/bugs/?group=wget This makes the user (who cares about certificate validity) assume that without the --no-check-certificate option, the site's authenticity is guaranteed, while this is currently absolutely wrong with the lack of revocation checking. There's no such thing as guaranteed wrt. IT security in general, and even less so when one is relying on known-broken systems like the CA cartel to authenticate remote parties. Therefore, I personally don't think that the doc bug should be RC, but I'm not interested in severity ping-pong, so I'll let it to the maintainer to judge, and to the release team to decide if it should be ignored for Jessie. Cheers, -- intrigeri -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#745836: wget: certificate revocation is not checked
Processing control commands: found -1 1.16-1 Bug #745836 [wget] wget: certificate revocation is not checked Marked as found in versions wget/1.16-1. tag -1 + upstream Bug #745836 [wget] wget: certificate revocation is not checked Added tag(s) upstream. clone -1 -2 Bug #745836 [wget] wget: certificate revocation is not checked Bug 745836 cloned as bug 767283 severity -1 wishlist Bug #745836 [wget] wget: certificate revocation is not checked Severity set to 'wishlist' from 'grave' retitle -2 wget manpage doesn't warn that certificate revocation lists are not checked Bug #767283 [wget] wget: certificate revocation is not checked Changed Bug title to 'wget manpage doesn't warn that certificate revocation lists are not checked' from 'wget: certificate revocation is not checked' -- 745836: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745836 767283: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767283 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#745836: wget: certificate revocation is not checked
On 2014-08-19 13:43:26 +0400, Vlad Orlov wrote: This indeed looks like a bug in 1.15, because 1.13 and 1.14 recognize the expired certificate: $ wget www.cloudflarechallenge.com --2014-08-19 13:41:45-- http://www.cloudflarechallenge.com/ Resolving www.cloudflarechallenge.com (www.cloudflarechallenge.com)... 107.170.194.215 Connecting to www.cloudflarechallenge.com (www.cloudflarechallenge.com)|107.170.194.215|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://www.cloudflarechallenge.com/ [following] --2014-08-19 13:41:46-- https://www.cloudflarechallenge.com/ Connecting to www.cloudflarechallenge.com (www.cloudflarechallenge.com)|107.170.194.215|:443... connected. ERROR: The certificate of 'www.cloudflarechallenge.com' is not trusted. The certificate has expired This bug isn't on expired certificates, but on the revoked ones. The www.cloudflarechallenge.com test is now obsolete because the certificate has expired (wget 1.15 checks that, so no bugs here for expired certificates). Two tests with revoked certificates are still working: https://revoked.grc.com/ https://www.vinc17.net:4434/ -- Vincent Lefèvre vinc...@vinc17.net - Web: https://www.vinc17.net/ 100% accessible validated (X)HTML - Blog: https://www.vinc17.net/blog/ Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#745836: wget: certificate revocation is not checked
This indeed looks like a bug in 1.15, because 1.13 and 1.14 recognize the expired certificate: $ wget www.cloudflarechallenge.com --2014-08-19 13:41:45-- http://www.cloudflarechallenge.com/ Resolving www.cloudflarechallenge.com (www.cloudflarechallenge.com)... 107.170.194.215 Connecting to www.cloudflarechallenge.com (www.cloudflarechallenge.com)|107.170.194.215|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://www.cloudflarechallenge.com/ [following] --2014-08-19 13:41:46-- https://www.cloudflarechallenge.com/ Connecting to www.cloudflarechallenge.com (www.cloudflarechallenge.com)|107.170.194.215|:443... connected. ERROR: The certificate of 'www.cloudflarechallenge.com' is not trusted. The certificate has expired
Bug#745836: Re[2]: Bug#745836: wget: certificate revocation is not checked
This bug isn't on expired certificates, but on the revoked ones. The www.cloudflarechallenge.com test is now obsolete because the certificate has expired (wget 1.15 checks that, so no bugs here for expired certificates). Two tests with revoked certificates are still working: https://revoked.grc.com/ https://www.vinc17.net:4434/ Ah, that's another matter, thanks for pointing it out. In this case, wget 1.13 (from Wheezy) and 1.14 behave just like 1.15: they download index.html right away.
Bug#745836: wget: certificate revocation is not checked
Control: severity -1 wishlist Control: tags -1 security On 25 April 2014 19:46, Vincent Lefevre vinc...@vinc17.net wrote: Package: wget Version: 1.15-1 Severity: grave Tags: security Justification: user security hole Certificate revocation is not checked: wget downloads [...] It is not a bug, it is a missing feature. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#745836: wget: certificate revocation is not checked
Processing control commands: severity -1 wishlist Bug #745836 [wget] wget: certificate revocation is not checked Severity set to 'wishlist' from 'grave' tags -1 security Bug #745836 [wget] wget: certificate revocation is not checked Ignoring request to alter tags of bug #745836 to the same tags previously set -- 745836: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745836 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#745836: wget: certificate revocation is not checked
Processing control commands: severity -1 grave Bug #745836 [wget] wget: certificate revocation is not checked Severity set to 'grave' from 'wishlist' -- 745836: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745836 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#745836: wget: certificate revocation is not checked
Package: wget Version: 1.15-1 Severity: grave Tags: security Justification: user security hole Certificate revocation is not checked: wget downloads https://www.cloudflarechallenge.com/ without any warning or error, contrary to Firefox (and to Chromium when the CRLSet is up-to-date). -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.11-2-amd64 (SMP w/2 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages wget depends on: ii libc62.18-4 ii libgnutls28 3.2.13-2 ii libidn11 1.28-2 ii libnettle4 2.7.1-2 ii libuuid1 2.20.1-5.7 ii zlib1g 1:1.2.8.dfsg-1 Versions of packages wget recommends: ii ca-certificates 20140325 wget suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org