Page MenuHomePhabricator

document https downgrade sslstrip defenses - wget vs curl vs scurl
Closed, ResolvedPublic

Description

We sometimes need commands such as the following in the wiki.

wget https://www.torproject.org/dist/torbrowser/7.0a3/sandbox-0.0.6-linux64.zip.asc

wget is more usable than plain curl in command line. But is wget secure?

There was a pretty strange bug. Not sure it was ever fixed.

https://lists.gnu.org/archive/html/bug-wget/2012-07/msg00015.html

Is wget vulnerable to sslstrip?


Simple wrapper called scurl, that adds "--tlsv1 --proto =https" in front of all invocations of "curl" when running "scurl".

https://github.com/Whonix/scurl/blob/master/usr/bin/scurl

scurl makes things simpler than typing --tlsv1.2 --proto =https. But it's still inconvenient.

I used to use like...

scurl https://www.torproject.org/dist/torbrowser/7.0a3/sandbox-0.0.6-linux64.zip.asc > sandbox-0.0.6-linux64.zip.asc

Which is cumbersome.

Perhaps scurl should also prepend --remote-name? Then we could simply use:

scurl https://www.torproject.org/dist/torbrowser/7.0a3/sandbox-0.0.6-linux64.zip.asc

(Which would result in:)

curl --tlsv1.2 --proto =https --remote-name https://www.torproject.org/dist/torbrowser/7.0a3/sandbox-0.0.6-linux64.zip.asc

scurl isn't the answer either, since it's mostly only available in Whonix so it does not work for instructions generally everywhere.

Is curl with --proto =https required? Is curl otherwise vulnerable to sslstrip?


TODO:

  • ask if curl is vulnerable to sslstrip / https downgrade attacks
  • ask if wget is vulnerable to sslstrip / https downgrade attacks

Details

Impact
Normal

Event Timeline

Patrick created this task.May 7 2017, 3:22 PM

Could you work on this one please? @HulaHoop

Could you work on this one please? @HulaHoop

I'm on it.

HSTS is a server side opt-in standard meaning it can fail silently if the user does not force a request to use SSL. So its useless by itself.

https://stackoverflow.com/a/38835162


Curl does not detect or warn against protocol changes during redirect. No one has stepped up to add patches. Users run "--proto-redir =https" instead which protects against downgrade but has the side effect of making things harder.

https://github.com/curl/curl/issues/226
https://github.com/curl/curl/issues/1026
https://curl.haxx.se/docs/todo.html#Refuse_downgrade_redirects


Wget can force ssl but without it, its vulnerable. As for the buggy behavior you mentioned - it seems to check server certs against installed root CAs by default. To stop this use "--no-check-certificate" in combination with one of the commands that point to a PEM file of choice to fail closed.

https://www.gnu.org/software/wget/manual/html_node/HTTPS-_0028SSL_002fTLS_0029-Options.html


scurl isn't the answer either, since it's mostly only available in Whonix so it does not work for instructions generally everywhere.

Hopefully this can change if its accepted upstream by privacy maintainers.