[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] wget/gnutls TOFU certificate authentication?
From: |
Tim Ruehsen |
Subject: |
Re: [Bug-wget] wget/gnutls TOFU certificate authentication? |
Date: |
Tue, 30 Sep 2014 16:47:22 +0200 |
User-agent: |
KMail/4.14.1 (Linux/3.16-2-amd64; KDE/4.14.1; x86_64; ; ) |
On Tuesday 30 September 2014 16:10:18 Giuseppe Scrivano wrote:
> Daniel Kahn Gillmor <address@hidden> writes:
> > when wget is built with gnutls, it has the opportunity to use gnutls'
> > TOFU (trust on first use) style of certificate verification [0]. This
> > has the potential to make wget behave similarly to ssh.
> >
> > Is there any interest in exposing this feature to users of wget (only
> > when built with gnutls, and when requested by the user, of course).
> >
> > It's better than --no-check-certificates for dealing with self-signed
> > certs that the user visits more than once.
> >
> > What do wget folks think of this possible feature?
>
> I think that it can be a nice addition since as you said people end up
> to use --no-check-certificates with self signed certificates and TOFU
> can add security in this case.
I had a look at the code, it should be straight forward to implement it... the
question is: when do we want this functionality ?
Suggestions:
1. if e.g. --ssh-style-verification is given on the command line (or within
wgetrc).
2. --no-check-certificate is given AND the cert check (which we always
perform) fails AND wget is in 'interactive mode' (isatty()==true).
What do you think ?
Tim