bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] SSL Poodle attack

From: Daniel Kahn Gillmor
Subject: Re: [Bug-wget] SSL Poodle attack
Date: Wed, 15 Oct 2014 17:26:49 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Icedove/32.0 
On 10/15/2014 03:10 PM, Tim Rühsen wrote:
> I tried to make clear that Wget *explicitely* asks for SSLv2 and SSLv3 in the 
> default configuration when compiled with OpenSSL. Whatever the OpenSSL 
> library 
> vendor is doing... it won't affect Wget in this case. So with your attitude, 
> you won't ever be safe ever from Poodle (I guess).
> 
> And again my question: should we change the default behaviour of future 
> versions of Wget ?
> With other words: since we know, the library vendor wouldn't help in the 
> above 
> case, what can we do to secure Wget ?

hm, i think Tim is on to something here: by default, wget should use the
default ciphersuites and protocol versions selected by the TLS library.
 Tweaking the default choices in wget itself tends to make wget more
brittle than the underlying library.

The only way that should work to try to improve security in wget via TLS
implementation preference strings is if the preference string is
explicitly a minor modification of some system default.  This may or may
not be possible depending on the preference string syntax of the
selected TLS implementation.

(e.g. [for OpenSSL] if the system default is always explicitly
referenced as DEFAULT and we decide that we never want wget to use RC4,
then DEFAULT:-RC4 is a sensible approach, because it allows OpenSSL to
update DEFAULT and wget gains those improvements automatically)

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]