Information
ID: 673
PHID: PHID-TASK-ag7e242onamjwq2xidqq
Author: Patrick
Status at Migration Time: resolved
Priority at Migration Time: Normal
Description
We sometimes need commands such as the following in the wiki.
wget https://www.torproject.org/dist/torbrowser/7.0a3/sandbox-0.0.6-linux64.zip.asc
wget is more usable than plain curl in command line. But is wget secure?
There was a pretty strange bug. Not sure it was ever fixed.
https://lists.gnu.org/archive/html/bug-wget/2012-07/msg00015.html
Is wget vulnerable to sslstrip?
Simple wrapper called scurl, that adds “–tlsv1 --proto =https” in front of all invocations of “curl” when running “scurl”.
https://github.com/Whonix/scurl/blob/master/usr/bin/scurl
scurl makes things simpler than typing --tlsv1.2 --proto =https. But it’s still inconvenient.
I used to use like…
scurl https://www.torproject.org/dist/torbrowser/7.0a3/sandbox-0.0.6-linux64.zip.asc > sandbox-0.0.6-linux64.zip.asc
Which is cumbersome.
Perhaps scurl should also prepend --remote-name? Then we could simply use:
scurl https://www.torproject.org/dist/torbrowser/7.0a3/sandbox-0.0.6-linux64.zip.asc
(Which would result in:)
curl --tlsv1.2 --proto =https --remote-name https://www.torproject.org/dist/torbrowser/7.0a3/sandbox-0.0.6-linux64.zip.asc
scurl isn’t the answer either, since it’s mostly only available in Whonix so it does not work for instructions generally everywhere.
Is curl with --proto =https required? Is curl otherwise vulnerable to sslstrip?
TODO:
- ask if curl is vulnerable to sslstrip / https downgrade attacks
- ask if wget is vulnerable to sslstrip / https downgrade attacks
Comments
Patrick
2017-05-07 13:22:58 UTC
Patrick
2017-05-08 12:52:01 UTC
HulaHoop
2017-05-09 15:52:38 UTC
HulaHoop
2017-05-09 16:44:56 UTC
Patrick
2017-05-16 15:30:32 UTC
Patrick
2017-05-24 21:12:25 UTC
Patrick
2023-02-17 10:52:15 UTC