Re: [Bug-wget] Wget and Perfect Forward Secrecy

[Daniel Kahn Gillmor]

On 08/21/2013 10:45 AM, Tim Ruehsen wrote:
> 1. --secure-protocol=PFS (or whatever we agree on) for "everyone" (users that 
> have no or not enough knowledge about GnuTLS/OpenSSL option strings).
> As the other --secure-protocol types (like e.g. 'auto'), this would map to a 
> fixed option string.

if what if a user wanted to both (a) negotiate PFS and (b) exclude SSLv2
and SSLv3 ? Could they do that using --secure-protocol or would they
need to graduate to fancier configurations?

> 2. (to be discussed) --gnutls-options=<GnuTLS option string> and/or --openssl-
> options=<OpenSSL option string> for "experts". Here you can give your own 
> idea 
> of an option string. You can put these into /etc/wgetrc or ~/.wgetrc as 
> default and override them via command line whenever the need arises.

If wget offers both 1 and 2, how would the two options interact if used
together?

I'm asking these questions to try to illuminate what i think are the
corner cases of the ideas, not because i think the ideas are bad ideas.
 i like them both, and want to see them work sensibly :)

> I guess your suggestion of an --https-only mode fits into the current 
> security 
> discussion and I like it. I am pretty sure, people will use it.
> 
> I would like to wait another week or so for feedback before I start creating 
> a 
> patch (for my two points above). Are you going to implement --https-only ?

i'm afraid i don't have time to implement --https-only in the forseeable
future, sorry :(

        --dkg

signature.asc
Description: OpenPGP digital signature