On Sat 2017-08-05 09:59:32 -0400, Chris Lamb wrote: > I can't help but think of ~/.ssh/known_hosts which moved to hashing the > hostname for various security/privacy concerns. Shouldn't wget make the > parallel change?
I think the changes to ~/.ssh/known_hosts are mainly security theater, and they make ~/.ssh/known_hosts significantly harder to use for other purposes (e.g. "is there some foo.biz server that i've forgotten about?"). there's a ton of other places (e.g. bash history, browser history, etc) where similar information leaks into the local filesystem, accessible by the user. hopefully this perspective isn't too much on the side of privacy nihilism. i'm happy to be called out if it is! but my instinct is that we should avoid making these files more complex than they need to be. If we want to protect the ~/.wget-hsts file or other HTTP client state, we should be using filesystem and other operating system permissions to protect it. It's a good catch that this file should never be world-readable in the user's home directory -- that's a serious leak, due to the homedir often being world-readable by default (e.g. for public folder sharing, dropboxes, and the like). The version of wget that i've got (1.19.2-1) currently just creates it with 777 & umask -- that's a problem: 0 dkg@alice:~$ rm -f .wget-hsts && wget -O /dev/null -q https://www.debian.org && ls -la .wget-hsts -rw-r--r-- 1 dkg dkg 169 Dec 7 17:45 .wget-hsts 0 dkg@alice:~$ But the more sensible solution is what Tim mentions -- clean up the permissions or stash the file in an unreadable subdirectory. More generally, the fact of wget keeping state by default is maybe surprising for some people -- wget doesn't keep cookies by default, for example. Perhaps wget should prefer a state directory where all of its state can be kept by default, rather than having to specify all of --save-cookies --load-cookies --hsts-file to manage HTTP client state coherently? Then we could even use ephemeral filesystems, ephemeral filesystem encryption keys, or other fundamental protections to keep the state protected and private. --dkg
signature.asc
Description: PGP signature
