The story just broke earlier this year how a casino hotel "smart
thermometer" in the fish tank was used as a backdoor to attack the rest
of their network.
If a smart device running busybox is programmed to automatically check
for firmware updates, the designers might expect HTTPS to be a valid
form of security to know that they were accessing their own servers. If
they don't write a test case to verify that certificates are checked,
it's shoddy work, but there's a lot of shoddy work in smart devices.
In such a scenario, anyone on the same wifi would be able to overwrite
the firmware of the device. This almost deserves a CVE number.
-Mike
On 5/26/2018 1:34 PM, Denys Vlasenko wrote:
wget should work for common use cases.
Such as downloading sources of kernels, gcc and such.
From build scripts, not only by hand.
Without having to modify said scripts.
Your patch breaks that.
NAK.
I don't care that security people are upset.
They are paranoid, it's part of their profession.
It does not mean everybody else have to be as paranoid.
If you have a patch which adds actual cert checking
and thus does not introduce regressions, please post it.
On Sat, May 26, 2018 at 6:38 PM, <[email protected]> wrote:
//config: If you still think this is unacceptable, send patches.
That’s exactly what I did.
http://lists.busybox.net/pipermail/busybox/2018-May/086444.html
Jakub
On 2018-05-26 17:54, Denys Vlasenko wrote:
On Sat, May 26, 2018 at 5:39 PM, <[email protected]> wrote:
That's a crime against security!
Say what?
That’s a hyperbole. The thing is that when you don’t verify the peer’s
certificate, then you’re vulnerable to MitM attack with fake certificate
injection. The whole SSL/TLS is totally useless in that moment. It’s more
or
less like putting the door’s key under the carpet right in front of the
door.
Allowing to bypass/ignore certificate verification is ok-ish in some
situations, but only when the user do it consciously, using explicit
option
such as --no-check-certificate, not silently as the default option.
wget.c:
//config: If you still think this is unacceptable, send patches.
//config:
//config: If you still think this is unacceptable, do not want to
send
//config: patches, but do want to waste bandwidth explaining how
wrong
//config: it is, you will be ignored.
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
