Re: [PATCH] wget: don't silently ignore certificate validation

2018-05-26 Thread Kang-Che Sung
On Fri, May 25, 2018 at 12:50 AM, Jakub Jirutka wrote: > Internal TLS code (FEATURE_WGET_HTTPS) does not implement validation > of the server's certificate. It is documented in the code, but not > even mentioned in the --help message, so users typically don't know > about this

Re: [PATCH] wget: don't silently ignore certificate validation

2018-05-26 Thread Kang-Che Sung
On Sun, May 27, 2018 at 1:34 AM, Denys Vlasenko wrote: > wget should work for common use cases. > Such as downloading sources of kernels, gcc and such. > From build scripts, not only by hand. > Without having to modify said scripts. > Your patch breaks that. > NAK. > > I

Re: [PATCH] wget: don't silently ignore certificate validation

2018-05-26 Thread tiggersWelt.net (Support)
Good evening Denys, I agree with you that this patch is unacceptable, I also agree that everyone who is complaining about the situation should send patches, but I strongly disagree that it is valid to break security to keep "common use cases" working. Using security-techniques like https should

Re: [PATCH] wget: don't silently ignore certificate validation

2018-05-26 Thread Denys Vlasenko
wget should work for common use cases. Such as downloading sources of kernels, gcc and such. From build scripts, not only by hand. Without having to modify said scripts. Your patch breaks that. NAK. I don't care that security people are upset. They are paranoid, it's part of their profession. It

Re: [PATCH] wget: don't silently ignore certificate validation

2018-05-26 Thread jakub
//config: If you still think this is unacceptable, send patches. That’s exactly what I did. http://lists.busybox.net/pipermail/busybox/2018-May/086444.html Jakub On 2018-05-26 17:54, Denys Vlasenko wrote: On Sat, May 26, 2018 at 5:39 PM, wrote: That's a crime

Re: [PATCH 1/1] libbb: reduce the overhead of single parameter bb_error_msg() calls

2018-05-26 Thread Denys Vlasenko
On Fri, May 11, 2018 at 7:32 PM, James Byrne wrote: > Back in 2007, bb_simple_perror_msg() was introduced to allow for a lower > overhead call to bb_perror_msg() when only a string was being printed > with no parameters. This saves space because it avoids the

Re: [PATCH] wget: don't silently ignore certificate validation

2018-05-26 Thread Denys Vlasenko
On Sat, May 26, 2018 at 5:39 PM, wrote: >>> That's a crime against security! >> >> Say what? > > That’s a hyperbole. The thing is that when you don’t verify the peer’s > certificate, then you’re vulnerable to MitM attack with fake certificate > injection. The whole SSL/TLS is

Re: [PATCH] wget: don't silently ignore certificate validation

2018-05-26 Thread jakub
That's a crime against security! Say what? That’s a hyperbole. The thing is that when you don’t verify the peer’s certificate, then you’re vulnerable to MitM attack with fake certificate injection. The whole SSL/TLS is totally useless in that moment. It’s more or less like putting the