-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I disagree with Tony's statement: unless you're having wget spit out information about what the certificate _is_, how can you claim to "trust" it? And even doing so, you've already sent the username and password before you can review what wget said about the certificate.
With --no-check-certificate, the connection is explicitly insecure. Any man-in-the-middle can hijack the connection, and if you're sending passwords or sensitive data, the game is over. What you are assured, of course, is _privacy_, (and data integrity) between yourself and the remote. What you're not assured, is _who_ the remote is. Authentication is an essential component of security. However, in the case of self-signed certs (such as this one), you've _already_ lost such an assurance, so it can't do much harm. Though, if you know for a fact that a particular certificate is valid, it'd still be better to make an explicit exemption for that one certificate, rather than a blanket "don't worry about it" (unfortunately, wget doesn't currently offer such a facility: I'll file a bug). But of course, in the real world, if you're talking about little things, like access to your private little project's bug tracker, or your private family photo album, the damage that you would suffer from exposing your password to an attacker, may well be far lower than the actual risk that someone would be sufficiently motivated to execute such an attack against your connection. - -mjc Ben Smith wrote: > OK, I was thrown off by the following line: >> To connect to dss.ucar.edu insecurely, use `--no-check-certificate'. > I guess it's referring to the fact that wget can't verify the security rather > than it won't be encrypted. > > > > ----- Original Message ---- >> From: Tony Lewis <[email protected]> >> To: Ben Smith <[email protected]> >> Sent: Tuesday, July 28, 2009 11:21:30 AM >> Subject: RE: [Bug-wget] (no subject) >> >> Ben Smith wrote in reply to Rodrigo S Wanderley: >> >>> That might not be a good option as it would now be an insecure connection. >>> Obviously, I don't know if that is an issue for this use, but it's >> something >>> to consider. Unfortunately, I can't help with an alternate solution that >>> would use a secure connection. >> The use of --no-check-certificate does not make the session insecure. It >> tells wget that you, the user, trust the validity of the certificate >> provided by the server even though wget cannot independently verify it. >> >> All other aspects of the SSL session are processed normally. >> >> Tony > > > > > - -- Micah J. Cowan Programmer, musician, typesetting enthusiast, gamer. Maintainer of GNU Wget and GNU Teseq http://micah.cowan.name/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpvR7wACgkQ7M8hyUobTrE+yQCfZYpyEqgn7nR5hk8TL9NIFSwp ybwAn0ISJMYOc9CCME5I2jb0BimpaySN =m5mR -----END PGP SIGNATURE-----
