Page MenuHomePhabricator
Create Task
Maniphest T673

document https downgrade sslstrip defenses - wget vs curl vs scurl
Closed, ResolvedPublic
Actions

Description

We sometimes need commands such as the following in the wiki.

wget https://www.torproject.org/dist/torbrowser/7.0a3/sandbox-0.0.6-linux64.zip.asc

wget is more usable than plain curl in command line. But is wget secure?

There was a pretty strange bug. Not sure it was ever fixed.

https://lists.gnu.org/archive/html/bug-wget/2012-07/msg00015.html

Is wget vulnerable to sslstrip?

Simple wrapper called scurl, that adds "--tlsv1 --proto =https" in front of all invocations of "curl" when running "scurl".

https://github.com/Whonix/scurl/blob/master/usr/bin/scurl

scurl makes things simpler than typing --tlsv1.2 --proto =https. But it's still inconvenient.

I used to use like...

scurl https://www.torproject.org/dist/torbrowser/7.0a3/sandbox-0.0.6-linux64.zip.asc > sandbox-0.0.6-linux64.zip.asc

Which is cumbersome.

Perhaps scurl should also prepend --remote-name? Then we could simply use:

scurl https://www.torproject.org/dist/torbrowser/7.0a3/sandbox-0.0.6-linux64.zip.asc

(Which would result in:)

curl --tlsv1.2 --proto =https --remote-name https://www.torproject.org/dist/torbrowser/7.0a3/sandbox-0.0.6-linux64.zip.asc

scurl isn't the answer either, since it's mostly only available in Whonix so it does not work for instructions generally everywhere.

Is curl with --proto =https required? Is curl otherwise vulnerable to sslstrip?

TODO:

  • ask if curl is vulnerable to sslstrip / https downgrade attacks
  • ask if wget is vulnerable to sslstrip / https downgrade attacks

Details

Impact
Normal

Event Timeline

Patrick created this task.May 7 2017, 1:22 PM
Herald added a project: Whonix. · View Herald TranscriptMay 7 2017, 1:22 PM
Herald added subscribers: entr0py, WhonixQubes. · View Herald Transcript
Patrick added a comment.May 7 2017, 1:22 PM

Could you work on this one please? @HulaHoop

Patrick added a comment.May 8 2017, 12:52 PM

add --remote-name so scurl can be used as wget replacement
https://github.com/Whonix/scurl/commit/9006429ff7f9f39ff4dc367848ff45b690957881

HulaHoop added a comment.May 9 2017, 3:52 PM

Could you work on this one please? @HulaHoop

I'm on it.

HulaHoop added a comment.May 9 2017, 4:44 PM

HSTS is a server side opt-in standard meaning it can fail silently if the user does not force a request to use SSL. So its useless by itself.

https://stackoverflow.com/a/38835162

Curl does not detect or warn against protocol changes during redirect. No one has stepped up to add patches. Users run "--proto-redir =https" instead which protects against downgrade but has the side effect of making things harder.

https://github.com/curl/curl/issues/226
https://github.com/curl/curl/issues/1026
https://curl.haxx.se/docs/todo.html#Refuse_downgrade_redirects

Wget can force ssl but without it, its vulnerable. As for the buggy behavior you mentioned - it seems to check server certs against installed root CAs by default. To stop this use "--no-check-certificate" in combination with one of the commands that point to a PEM file of choice to fail closed.

https://www.gnu.org/software/wget/manual/html_node/HTTPS-_0028SSL_002fTLS_0029-Options.html

scurl isn't the answer either, since it's mostly only available in Whonix so it does not work for instructions generally everywhere.

Hopefully this can change if its accepted upstream by privacy maintainers.

Patrick added a comment.May 16 2017, 3:30 PM

Great research! Now this needs to be documented.

https://forums.whonix.org/t/long-wiki-edits-thread/3477/193

Patrick closed this task as Resolved.May 24 2017, 9:12 PM
Patrick claimed this task.

torjunkie has documented it.

Patrick added a comment.Feb 17 2023, 10:52 AM

https://forums.whonix.org/t/whonix-linux-installer-development-discussion/15917/20

Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer