//config: If you still think this is unacceptable, send patches.
That’s exactly what I did.
http://lists.busybox.net/pipermail/busybox/2018-May/086444.html
Jakub
On 2018-05-26 17:54, Denys Vlasenko wrote:
On Sat, May 26, 2018 at 5:39 PM, <[email protected]> wrote:
That's a crime against security!
Say what?
That’s a hyperbole. The thing is that when you don’t verify the peer’s
certificate, then you’re vulnerable to MitM attack with fake
certificate
injection. The whole SSL/TLS is totally useless in that moment. It’s
more or
less like putting the door’s key under the carpet right in front of
the
door.
Allowing to bypass/ignore certificate verification is ok-ish in some
situations, but only when the user do it consciously, using explicit
option
such as --no-check-certificate, not silently as the default option.
wget.c:
//config: If you still think this is unacceptable, send patches.
//config:
//config: If you still think this is unacceptable, do not want to
send
//config: patches, but do want to waste bandwidth explaining how
wrong
//config: it is, you will be ignored.
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
