Control: severity -1 grave On 2014-04-28 09:38:42 +0200, Raphael Geissert wrote: > It is not a bug, it is a missing feature.
It's a bug because it doesn't behave as documented (contrary to curl, where the way to check for certificate revocation is described in the man page). Certificate checking (include the check for revocation) is part of the https security, specially after the heartbleed bug, where the risk of old (now revoked) certificate compromission is much higher than before. Look at the wget man page, under --no-check-certificate: "Only use this option if you are otherwise convinced of the site's authenticity, or if you really don't care about the validity of its certificate. It is almost always a bad idea not to check the certificates when transmitting confidential or important data." This makes the user (who cares about certificate validity) assume that without the --no-check-certificate option, the site's authenticity is guaranteed, while this is currently absolutely wrong with the lack of revocation checking. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
