[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
wget2 | information leak with ocsp validation (#664)
From: |
frigo (@freedge1) |
Subject: |
wget2 | information leak with ocsp validation (#664) |
Date: |
Sat, 11 May 2024 16:09:47 +0000 |
frigo created an issue: https://gitlab.com/gnuwget/wget2/-/issues/664
we discovered that wget2 implements ocsp verification (we noticed that because
some firewall was blocking tcp fast open connections which is also used by
wget2).
wget2 tries to validate the chain of certificates and sends requests to ocsp
responders, with the certificate serial in clear text.
Anyone sniffing the network is able to catch the serial number and search it
(eg over https://crt.sh/) and link it with the client IP.
This is an issue with the ocsp protocol (see
https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns)
that is fixed with the usage of ocsp stapling but.. wget will fall back to
contacting the ocsp responder directly.
I think the safe default for wget should be to never contact the ocsp responder
itself.
--
Reply to this email directly or view it on GitLab:
https://gitlab.com/gnuwget/wget2/-/issues/664
You're receiving this email because of your account on gitlab.com.
- wget2 | information leak with ocsp validation (#664),
frigo (@freedge1) <=
- Re: wget2 | information leak with ocsp validation (#664), frigo (@freedge1), 2024/05/11
- Re: wget2 | information leak with ocsp validation (#664), @rockdaboot, 2024/05/12
- Re: wget2 | information leak with ocsp validation (#664), @rockdaboot, 2024/05/12
- Re: wget2 | information leak with ocsp validation (#664), frigo (@freedge1), 2024/05/12
- Re: wget2 | information leak with ocsp validation (#664), @rockdaboot, 2024/05/18
- Re: wget2 | information leak with ocsp validation (#664), @rockdaboot, 2024/05/18
- Re: wget2 | information leak with ocsp validation (#664), Romain Geissler (@Romain-Geissler-1A), 2024/05/18
- Re: wget2 | information leak with ocsp validation (#664), @rockdaboot, 2024/05/19
- Re: wget2 | information leak with ocsp validation (#664), Romain Geissler (@Romain-Geissler-1A), 2024/05/19