[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] --no-check-cert does not avoid cert warning
From: |
Tim Rühsen |
Subject: |
Re: [Bug-wget] --no-check-cert does not avoid cert warning |
Date: |
Tue, 01 Dec 2015 19:16:12 +0100 |
User-agent: |
KMail/4.14.10 (Linux/4.2.0-1-amd64; KDE/4.14.13; x86_64; ; ) |
Am Dienstag, 1. Dezember 2015, 18:39:06 schrieb Giuseppe Scrivano:
> Ángel González <address@hidden> writes:
> > On 30/11/15 22:33, Tim Rühsen wrote:
> >> There is the situation where --no-check-cert is implicitly set (.wgetrc,
> >> /etc/wgetrc, alias) and the user isn't aware of it. Just downloading
> >> without a warning opens a huge security hole because you can't verify
> >> where you downloaded it from (DNS attacks, MITM).
> >> I leave it to your imagination what could happen to people in unsafe
> >> countries... this warning could save lives.
> >>
> >> For an expert like Karl, this is just annoying.
> >>
> >> The warning text could be worked on, makeing clear that you are really
> >> leaving secure ground, that cert checking has been explicitly turned off
> >> and how to turn it on again. And only proceed if you really, really are
> >> aware of what you are doing.
> >>
> >> Of course all this applies to HTTP (plain text) as well. But someone
> >> requesting HTTPS and than dropping the gained security should be warned
> >> by
> >> default.
> >>
> >> My thinking is a pessimistic approach, but as long as you can't be 100%
> >> sure that bad things can't happend due to dropping the warning, we
> >> should leave it (and improve it the best we can).
> >>
> >> Tim
> >
> > An alternative to make --no-check-certificate silent would be to
> >
> > provide a parameter to explicitely silence it:
> > --no-check-certificate=quiet
>
> good idea, it looks like a good compromise. Tim, would it work for you?
> We will keep the current behavior, and brave users can use the new
> parameter.
A new parameter is basically fine.
But let's see what Karl answers to my last mail - I suggested stderr filtering
for his script, so he can get rid of the warning. If that works out, we have a
simple solution without touching wget. Also that solution is applicable to
other warnings/messages as well.
If Karl (or anyone else) still has a problem, let's add a new option (or
extend --check-certificate) as Ángel suggests.
Tim
- Re: [Bug-wget] --no-check-cert does not avoid cert warning, (continued)
- Re: [Bug-wget] --no-check-cert does not avoid cert warning, Ángel González, 2015/12/09
- Re: [Bug-wget] --no-check-cert does not avoid cert warning, Giuseppe Scrivano, 2015/12/10
- Re: [Bug-wget] --no-check-cert does not avoid cert warning, Ángel González, 2015/12/10
- Re: [Bug-wget] --no-check-cert does not avoid cert warning, Giuseppe Scrivano, 2015/12/10
- Re: [Bug-wget] --no-check-cert does not avoid cert warning, Ángel González, 2015/12/10
Re: [Bug-wget] --no-check-cert does not avoid cert warning, Giuseppe Scrivano, 2015/12/01