wget-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

wget2 | information leak with ocsp validation (#664)

From: frigo (@freedge1)
Subject: wget2 | information leak with ocsp validation (#664)
Date: Sat, 11 May 2024 16:09:47 +0000 

frigo created an issue: https://gitlab.com/gnuwget/wget2/-/issues/664



we discovered that wget2 implements ocsp verification (we noticed that because 
some firewall was blocking tcp fast open connections which is also used by 
wget2).
wget2 tries to validate the chain of certificates and sends requests to ocsp 
responders, with the certificate serial in clear text.
Anyone sniffing the network is able to catch the serial number and search it 
(eg over https://crt.sh/) and link it with the client IP.
This is an issue with the ocsp protocol (see 
https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns)
 that is fixed with the usage of ocsp stapling but.. wget will fall back to 
contacting the ocsp responder directly.

I think the safe default for wget should be to never contact the ocsp responder 
itself.

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/issues/664
You're receiving this email because of your account on gitlab.com.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]