Control: tag -1 + pending On Fri, 23 Feb 2018, Kristian Klausen wrote: > Busybox version of wget does not check the certificate at all, which defeat > the purpose of https. > Tested with (on testing): busybox wget 'https://untrusted-root.badssl.com/' > and busybox wget 'https://expired.badssl.com/'
At the same time, ca-certificates is not embedded in the initrd either so certificates could not be checked. And the purpose of https is two-fold: privacy due to encryption (we have that), and authentication with certificates (we don't have that). I don't even know where live-boot is using URL and what for. But I have committed the patch. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/