On Tuesday 30 September 2014 16:10:18 Giuseppe Scrivano wrote: > Daniel Kahn Gillmor <[email protected]> writes: > > when wget is built with gnutls, it has the opportunity to use gnutls' > > TOFU (trust on first use) style of certificate verification [0]. This > > has the potential to make wget behave similarly to ssh. > > > > Is there any interest in exposing this feature to users of wget (only > > when built with gnutls, and when requested by the user, of course). > > > > It's better than --no-check-certificates for dealing with self-signed > > certs that the user visits more than once. > > > > What do wget folks think of this possible feature? > > I think that it can be a nice addition since as you said people end up > to use --no-check-certificates with self signed certificates and TOFU > can add security in this case.
I had a look at the code, it should be straight forward to implement it... the question is: when do we want this functionality ? Suggestions: 1. if e.g. --ssh-style-verification is given on the command line (or within wgetrc). 2. --no-check-certificate is given AND the cert check (which we always perform) fails AND wget is in 'interactive mode' (isatty()==true). What do you think ? Tim
