[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] --no-check-cert does not avoid cert warning

From: Giuseppe Scrivano
Subject: Re: [Bug-wget] --no-check-cert does not avoid cert warning
Date: Tue, 01 Dec 2015 18:39:06 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

Ángel González <address@hidden> writes:

> On 30/11/15 22:33, Tim Rühsen wrote:
>> There is the situation where --no-check-cert is implicitly set (.wgetrc,
>> /etc/wgetrc, alias) and the user isn't aware of it. Just downloading without 
>> a
>> warning opens a huge security hole because you can't verify where you
>> downloaded it from (DNS attacks, MITM).
>> I leave it to your imagination what could happen to people in unsafe
>> countries... this warning could save lives.
>> For an expert like Karl, this is just annoying.
>> The warning text could be worked on, makeing clear that you are really 
>> leaving
>> secure ground, that cert checking has been explicitly turned off and how to
>> turn it on again. And only proceed if you really, really are aware of what 
>> you
>> are doing.
>> Of course all this applies to HTTP (plain text) as well. But someone
>> requesting HTTPS and than dropping the gained security should be warned by
>> default.
>> My thinking is a pessimistic approach, but as long as you can't be 100% sure
>> that bad things can't happend due to dropping the warning, we should leave it
>> (and improve it the best we can).
>> Tim
> An alternative to make  --no-check-certificate silent would be to
> provide a parameter to explicitely silence it:
>  --no-check-certificate=quiet

good idea, it looks like a good compromise.  Tim, would it work for you?
We will keep the current behavior, and brave users can use the new


reply via email to

[Prev in Thread] Current Thread [Next in Thread]