That's a crime against security!

Say what?

That’s a hyperbole. The thing is that when you don’t verify the peer’s certificate, then you’re vulnerable to MitM attack with fake certificate injection. The whole SSL/TLS is totally useless in that moment. It’s more or less like putting the door’s key under the carpet right in front of the door.

Allowing to bypass/ignore certificate verification is ok-ish in some situations, but only when the user do it consciously, using explicit option such as --no-check-certificate, not silently as the default option.

Jakub

On 2018-05-25 14:19, Denys Vlasenko wrote:
On Thu, May 24, 2018 at 6:50 PM, Jakub Jirutka <ja...@jirutka.cz> wrote:
Internal TLS code (FEATURE_WGET_HTTPS) does not implement validation
of the server's certificate.  It is documented in the code, but not
even mentioned in the --help message, so users typically don't know
about this behaviour.


That's a crime against security!

Say what?
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

Reply via email to