On 05/26/2018 01:34 PM, Denys Vlasenko wrote: > wget should work for common use cases. > Such as downloading sources of kernels, gcc and such. > From build scripts, not only by hand. > Without having to modify said scripts. > Your patch breaks that. > NAK. > > I don't care that security people are upset. > They are paranoid, it's part of their profession. > It does not mean everybody else have to be as paranoid. > > If you have a patch which adds actual cert checking > and thus does not introduce regressions, please post it.
It's unacceptable that for something which you see as primarily useful in downloading very important source code, you simply don't care that the source code may be compromised by a MITMed attack. > On Sat, May 26, 2018 at 6:38 PM, <ja...@jirutka.cz> wrote: >>> //config: If you still think this is unacceptable, send patches. >> >> >> That’s exactly what I did. >> http://lists.busybox.net/pipermail/busybox/2018-May/086444.html >> >> Jakub >> >> >> On 2018-05-26 17:54, Denys Vlasenko wrote: >>> On Sat, May 26, 2018 at 5:39 PM, <ja...@jirutka.cz> wrote: >>>>>> That's a crime against security! >>>>> Say what? >>>> >>>> >>>> That’s a hyperbole. The thing is that when you don’t verify the peer’s >>>> certificate, then you’re vulnerable to MitM attack with fake certificate >>>> injection. The whole SSL/TLS is totally useless in that moment. It’s more >>>> or >>>> less like putting the door’s key under the carpet right in front of the >>>> door. >>>> >>>> Allowing to bypass/ignore certificate verification is ok-ish in some >>>> situations, but only when the user do it consciously, using explicit >>>> option >>>> such as --no-check-certificate, not silently as the default option. The justification for including HTTPS in the first place: https://git.busybox.net/busybox/tree/networking/wget.c?id=8bc418f07eab79a9c8d26594629799f6157a9466#n74 "my small automatic tooling to build cross-compilers from sources no longer works, I need to additionally keep a local copy of ~4 megabyte source tarball of a SSL library and ~2 megabyte source of wget, need to compile and built both before I can download anything. All this despite the fact that the build is done in a QEMU sandbox on a machine with absolutely nothing worth stealing, so I don't care if someone would go to a lot of trouble to intercept my HTTPS download to send me an altered kernel tarball" This is incredibly terrible logic, your cross-compiler is now infected with malicious code. The purpose of compiling code is *usually* to use it, which means that wherever you use that code, you're no longer in a QEMU sandbox, and whichever real box you use it on, can now say hello to unlimited arbitrary code execution. -- Eli Schwartz Bug Wrangler and Trusted User _______________________________________________ busybox mailing list firstname.lastname@example.org http://lists.busybox.net/mailman/listinfo/busybox