Re: [Bug-wget] (no subject)

[Micah Cowan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I disagree with Tony's statement: unless you're having wget spit out
information about what the certificate _is_, how can you claim to
"trust" it? And even doing so, you've already sent the username and
password before you can review what wget said about the certificate.

With --no-check-certificate, the connection is explicitly insecure. Any
man-in-the-middle can hijack the connection, and if you're sending
passwords or sensitive data, the game is over. What you are assured, of
course, is _privacy_, (and data integrity) between yourself and the
remote. What you're not assured, is _who_ the remote is. Authentication
is an essential component of security.

However, in the case of self-signed certs (such as this one), you've
_already_ lost such an assurance, so it can't do much harm. Though, if
you know for a fact that a particular certificate is valid, it'd still
be better to make an explicit exemption for that one certificate, rather
than a blanket "don't worry about it" (unfortunately, wget doesn't
currently offer such a facility: I'll file a bug).

But of course, in the real world, if you're talking about little things,
like access to your private little project's bug tracker, or your
private family photo album, the damage that you would suffer from
exposing your password to an attacker, may well be far lower than the
actual risk that someone would be sufficiently motivated to execute such
an attack against your connection.

- -mjc

Ben Smith wrote:
> OK, I was thrown off by the following line:
>> To connect to dss.ucar.edu insecurely, use `--no-check-certificate'.
> I guess it's referring to the fact that wget can't verify the security rather 
> than it won't be encrypted.
> 
> 
> 
> ----- Original Message ----
>> From: Tony Lewis <address@hidden>
>> To: Ben Smith <address@hidden>
>> Sent: Tuesday, July 28, 2009 11:21:30 AM
>> Subject: RE: [Bug-wget] (no subject)
>>
>> Ben Smith wrote in reply to Rodrigo S Wanderley:
>>
>>> That might not be a good option as it would now be an insecure connection.
>>> Obviously, I don't know if that is an issue for this use, but it's
>> something
>>> to consider. Unfortunately, I can't help with an alternate solution that
>>> would use a secure connection.
>> The use of --no-check-certificate does not make the session insecure. It
>> tells wget that you, the user, trust the validity of the certificate
>> provided by the server even though wget cannot independently verify it.
>>
>> All other aspects of the SSL session are processed normally.
>>
>> Tony
> 
> 
> 
>       
> 


- --
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer.
Maintainer of GNU Wget and GNU Teseq
http://micah.cowan.name/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpvR7wACgkQ7M8hyUobTrE+yQCfZYpyEqgn7nR5hk8TL9NIFSwp
ybwAn0ISJMYOc9CCME5I2jb0BimpaySN
=m5mR
-----END PGP SIGNATURE-----