bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] [bug #51666] Please hash the hostname in ~/.wget-hsts files


From: Ethan Welker
Subject: [Bug-wget] [bug #51666] Please hash the hostname in ~/.wget-hsts files
Date: Fri, 24 Aug 2018 01:18:46 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Follow-up Comment #4, bug #51666 (project wget):

Hello!

I've written a series of patches (attached) that adds this feature. Please let
me know if there's some other way that I should be submitting these instead.

Some notes:

* I have little security experience, so these should be checked over somewhat
carefully.
* The OpenSSL implementation of ssl_hash_salt uses functions only in OpenSSL
0.9.7 and later. I'm not familiar enough with OpenSSL to get it to support
anything prior to that, but the rest of openssl.c seems to imply that some
versions before that are supported. Sorry about this!
* This patch seamlessly and automatically converts old hsts databases to
hashed databases. Unpatched versions of Wget parse those databases without
issue, though they functionally ignore any converted entry.
** If a patched Wget creates a hashed entry for a HSTS-enabled website, then
an unpatched Wget creates a unhashed entry for the same website, then a
patched Wget converting that entry will create a duplicate entry in the store.
I'm not sure how much of a concern this is.
* This switches the HSTS store from a hash table to an array, and each search
for a host creates a hash for each element in that array until either one
matches or the end of the array is reached. This isn't a problem for
reasonably sized stores; in my test on a 50-entry .wget-hsts, an unpatched
wget was 100 ms _slower_ (presumably due to network jitter). However I can
imagine that if you have several thousand entries this could become a
noticeable slowdown.

(file #44842, file #44843, file #44844)
    _______________________________________________________

Additional Item Attachment:

File name: 0001-Add-utility-functions-for-hashing-and-salting.patch Size:4 KB
File name: 0002-src-hsts.c-Hash-HSTS-enabled-domains-to-improve-priv.patch
Size:23 KB
File name: 0003-src-hsts.c-Add-test-for-hashed-domains-stored-in-dat.patch
Size:2 KB


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?51666>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]