[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Wget and Perfect Forward Secrecy
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
Re: [Bug-wget] Wget and Perfect Forward Secrecy |
|
Date: |
Wed, 21 Aug 2013 10:15:05 -0400 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130630 Icedove/17.0.7 |
On 08/21/2013 03:10 AM, Tim Ruehsen wrote:
> On Tuesday 20 August 2013 18:05:45 Daniel Kahn Gillmor wrote:
>> On 08/15/2013 04:36 AM, Tim Ruehsen wrote:
>>> Beside this 'expert' option, there should be a an 'everyones' option to
>>> force/enable PFS, using --secure-protocol as I already suggested.
>>
>> My only concern about this is what a mirroring/recursive wget would do
>> if it encountered an http:// or ftp:// link within its initial https://
>> fetch. Would wget --secure-protocol refuse to fetch the cleartext link
>> (thereby failing to fully mirror), or would it go ahead and fetch it
>> (thereby failing to require a secure protocol)?
>
> This is a bit OT, since I don't want to change Wget's download algorithm.
>
> It would a different issue, but FYI:
> If the parent page was HTTP/HTTPS Wget would not follow ftp:// links (except
> requested by --follow-ftp).
> But yes, insecure HTTP URLs will be followed, even if the parent is HTTPS, as
> long as they are on the same host/domain (behaviour can also be changed by -H
> and/or --domains).
i think i didn't make myself very clear here, or maybe i didn't
understand your original proposal. I (think i) already understand the
standard wget mirroring algorithm. My point is that --secure-protocol
as a choice of option name risks implying to the user that all downloads
will be done with a secure protocol, which we know is not the case. or
are you suggesting something like --secure-protocol=PFS ? that doesn't
seem properly orthogonal, since a user might want to indicate which
version(s) of SSL/TLS they want to support *and* enforce PFS where possible.
perhaps --tls-force-pfs or --force-pfs-when-tls or something would be
less misleading (though more arcane, alas).
> Have a look into recur.c/download_child_p() more detailed information.
> For a new option to not change the protocol from secure to insecure, you
> could
> easily extend the code.
Yes, an --https-only mode would be pretty cool, regardless of whether
the user wants to force PFS.
Thanks for thinking this through, having these options would be pretty
great.
--dkg
signature.asc
Description: OpenPGP digital signature
- [Bug-wget] Wget and Perfect Forward Secrecy, Tim Ruehsen, 2013/08/15
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Tim Ruehsen, 2013/08/15
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Ángel González, 2013/08/15
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Daniel Kahn Gillmor, 2013/08/20
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Tim Ruehsen, 2013/08/21
- Re: [Bug-wget] Wget and Perfect Forward Secrecy,
Daniel Kahn Gillmor <=
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Tim Ruehsen, 2013/08/21
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Daniel Kahn Gillmor, 2013/08/21
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Tim Rühsen, 2013/08/21
- Re: [Bug-wget] Wget and Perfect Forward Secrecy, Tim Ruehsen, 2013/08/22