[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [PATCH] Trivial changes in HSTS

From: Ander Juaristi
Subject: Re: [Bug-wget] [PATCH] Trivial changes in HSTS
Date: Fri, 8 Apr 2016 22:33:37 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.5.0

Hi Tim,

You're right, but the downside is that it could cause a denial of service. I was being driven by section 14.5 of RFC 6797. If another user modifies your HSTS file and puts a server that does not have HTTPS enabled, then you won't be able to contact that server, because wget will attempt to do it via HTTPS all the time.


On 07/04/16 12:52, Tim Ruehsen wrote:
On Wednesday 06 April 2016 14:31:17 Juaristi Álamos, Ander wrote:
Hi all,

Here are some patches for HSTS.

  - 0001: checks the HSTS database file is not world-writable, and
refuses to read it if it is, and disables HSTS. This was in my original

Doesn't it make sense to share the HSTS database globally ? It is basically
global data (domain specific) and not user specific.

Thinking forward, a central (trusted) database/daemon for HSTS entries would
be nice - sooner or later almost any domain supports HSTS. Each process
loading/saving a huge file would not be efficient.

Same goes for e.g. cert pinning (but not for cookies which are private data).

Regards, Tim

reply via email to

[Prev in Thread] Current Thread [Next in Thread]