Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified

[Ángel González]

On 16/10/14 19:01, Tim Rühsen wrote:
> Am Donnerstag, 16. Oktober 2014, 14:03:43 schrieb Christoph Anton Mitterer:
> > Also, it wget seems to have this --secure-protocol=PFS, which seems a
> > bit strange to me, since PFS is not a property of TLS/SSL itself but
> > rather the algorithms used.
> > Especially, when specifying --secure-protocol=PFS one shouldn't end up
> > with SSLv2/3 accidentally :)
> Thanks for your input.
>
> We are just discussing that issue (and of course anybody is invited to take
> part here on the list).
>
> While we (developers) could change the code in a few minutes, there might be
> side effects that we (or others) don't want. At least we need an agreement with
> the maintainers on how the optimal strategy looks like.
>
> If you are *really* in a hurry, patch the source yourself.
> But I guess the distribution maintainers will provide patches in the next few
> days.
>
> How we change the default behaviour of Wget and maybe what additional features
> we want to give to the users still needs a bit of polishing.
>
> Regards, Tim
First of all, note that wget doesn't react to a disconnect with a 
downgraded retry thus
it is mainly not vulnerable to poodle (you could only use CVE-2014-3566 
against servers
not supporting TLS).

Then, even in that case, as an attacker won't be able to dynamically 
connect in the
background to another site, explotaition would be much harder (something 
like a
recursive download on an attacker-controlled server (such as http) which 
is redirecting
_some_ requests to the https target). For little gaining, as it's very 
unlikely that such
wget would hold any secret for that server connection (I think you would 
need to use
--load-cookies with a file shared with another -sensitive- batch 
processing).


That said, I agree with the proposal of not connecting by default to SSL 
v3 servers and
requiring it to be forced with --secure-protocol or --no-check-certificate.