wget-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget2 | information leak with ocsp validation (#664)

From: @rockdaboot
Subject: Re: wget2 | information leak with ocsp validation (#664)
Date: Mon, 20 May 2024 11:02:45 +0000 


Tim Rühsen commented on a discussion: 
https://gitlab.com/gnuwget/wget2/-/issues/664#note_1912429197


This is basically what we want :) Maybe we can fine-tune the verbosity in the 
future (e.g. only print the privacy leak message only once per command 
invocation or so. But that is low priority for me right now.

What is puzzling is the message "OCSP stapling is not supported by 
'objects.githubusercontent.com'".
For me, this domain supports stapling and I reproducibly get this output:
```
$ wget2 --ocsp --no-tcp-fastopen 
https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-1.7.1.tar.gz
WARNING: OCSP stapling is not supported by 'github.com', but OCSP validation 
has been requested.
WARNING: This implies a privacy leak: the client sends the certificate serial 
ID over HTTP to the CA.
jq-1.7.1.tar.gz.4    100% 
[=============================================================================>]
    1.85M    --.-KB/s
                          [Files: 1  Bytes: 1.85M [3.30MB/s] Redirects: 1  
Todo: 0  Errors: 0            ]
```

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/issues/664#note_1912429197
You're receiving this email because of your account on gitlab.com.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]