On 8/29/2017 7:58 AM, Denys Vlasenko wrote:
I'll cc this to bbox mailing list to humiliate this guy.
On Tue, Aug 29, 2017 at 1:21 PM, <[email protected]> wrote:
I'm trying to update busybox binary on busybox-based system.
When i am trying to download busybox, i have this error
# wget
http://busybox.net/downloads/binaries/1.26.1-defconfig-multiarch/busybox-mips
Connecting to busybox.net[140.211.167.122]:80
wget: not an http or ftp url:
https://busybox.net/downloads/binaries/1.26.1-defconfig-multiarch/busybox-mips
Why you are redirecting to https when https is not supported in most
builds (And my system is too weak to use openssl)? It is some kind of
trolling?
Support for https is added in last released version
OK, but what if you ask for p7zip and get p7zip.7z file? What you use to
unpack it? And how i can download new version with https support without
https support from https-only server? It is stupid like windows device
driver wizard trying to find network device drivers in internet.
I don't remember you having a contract with me to support your operations.
On what moral or legal grounds are you complaining that I did not
write TLS support for wget fast enough for Your Majesty's taste?
Why is anyone downloading replacement binaries for a "too weak" embedded
system over insecure HTTP from that same embedded system? Now all that's
needed to hijack that system is to have a DNS server with a malicious
entry for busybox.net or any other MITM scenario and it becomes trivial
to take over that embedded system. The HTTPS issue shouldn't matter
because this is a really bad idea in the first place, ten times more so
if this download is done automatically.
-Jody
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
