[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] libtlssep and wget
|
From: |
Ander Juaristi |
|
Subject: |
Re: [Bug-wget] libtlssep and wget |
|
Date: |
Thu, 23 Jul 2015 08:47:34 +0200 |
|
User-agent: |
Thunderbird on Linux |
Hi Michael,
You've done an amazing work!
Just one simple point that comes to my mind. What will happen if the
'--no-check-certificate' flag is passed? This flag basically tells Wget not to
check the validity of the SSL certificates. It asserts the global variable
'opt.check_cert', and I haven't seen any reference to that variable in your
code. It's implied that the certificate verification will be performed in
tlssep_connect(), which is not necessarily bad:
bool
ssl_check_certificate (int fd, const char *host)
{
/* Covered by tlssep_connect. */
return true;
}
But as I said, I haven't seen any reference to the opt.check_cert variable
anywhere, not even around the call to tlssep_connect(), so theoretically, your
code is completely ignoring the --no-check-certificate flag, causing a
potential bug in which Wget will fail when a certificate is invalid (or
self-signed, as well?) even though the user has explicitly told not to verify
them.
On 07/23/2015 04:31 AM, W. Michael Petullo wrote:
Wget developers,
I am writing to share some work we did to port wget to a new TLS
library: libtlssep. Libtlssep has two aims: (1) to provide a simpler
API to application developers and (2) to encourage the decomposition of
applications into at least two processes, one of which isolates access
to secret cryptographic keys.
Georgiev et al., Fahl et al., and other researchers have shown that
application developers often misuse existing APIs [e.g., 1, 2]. This work
informs aim (1).
Aim (2) attempts to bring the privilege separation work of Provos et
al. [3] to the domain of TLS in an easy-to-use way.
The current implementation of libtlssep sits between an application
and OpenSSL. We found it quite easy to port wget to libtlssep for a
research prototype, and we would like to share this work with you.
If you are interested in libtlssep, you can find our early wget patch at:
https://www.flyn.org/projects/libtlssep/wget-tlssep.patch
the libtlssep research prototype at:
https://www.flyn.org/projects/libtlssep/
The libtlssep website.
and more information about libtlssep at:
https://www.flyn.org/publications/2015-libtlssep.pdf
A paper in submission with SPACE 2015 that includes a
description
of libtlssep along with performance measurements and other
details.
Thank you,
Mike
:wq
[1] Georgiev et al.: The most dangerous code in the world: validating
SSL certificates in non-browser software. CCS (2012)
[2] Fahl et al.: Why Eve and Mallory love Android: an analysis of Android
SSL (in)security. CCS (2012)
[3] Provos et al.: Preventing privilege escalation. USENIX Security (2003)
--
Regards,
- AJ