#1114531 wget: does not check whether a cetificate has been revoked

Package:
wget
Source:
wget
Description:
retrieves files from the web
Submitter:
Vincent Lefevre
Date:
2025-09-06 20:47:03 UTC
Severity:
normal
Tags:
#1114531#5
Date:
2025-09-06 15:56:49 UTC
From:
To:
"wget https://payment-web.mercanet.bnpparibas.net/payment" does
a download without an error while the certificate has been revoked:

Indeed, Firefox says:

Warning: Potential Security Risk Ahead

Firefox detected a potential security threat and did not continue to
payment-web.mercanet.bnpparibas.net. If you visit this site, attackers
could try to steal information like your passwords, emails, or credit
card details.

Firefox blocked your visit to this site because the certificate
provided for payment-web.mercanet.bnpparibas.net has been revoked and
isn’t trusted anymore.

Error code: SEC_ERROR_REVOKED_CERTIFICATE
#1114531#10
Date:
2025-09-06 18:07:47 UTC
From:
To:
Control: severity -1 normal

Not the maintainer, but I'll chime in anyway.

Certificate revocation as designed and implemented is mostly
incompatible with the modern Internet. Some browsers somewhat get
around this by relying on their motherships internet services and
doing an only query for "possible security threats".

However, neither GNU wget authors or Debian operate such services
TTBOMK and I would expect people to complain loudly about these
being a privacy violation.

The classic option of using OCSP has been a) mostly turned off in
browsers and b) is currently being phased out by all CAs.

A tool like wget is not in the position to fetch CRLs from all
possibly involved CAs for each request it makes. These CRLs are
unweildly in size, making this completely impractical.

For some background you can read https://letsencrypt.org/2022/09/07/new-life-for-crls

Best,
Chris
#1114531#17
Date:
2025-09-06 20:30:58 UTC
From:
To:
This is not correct. https://blog.mozilla.org/en/firefox/crlite/
claims: "CRLite is efficient enough to store *all* certificate
revocations locally, requiring only 300KB per day of continuous
updates to stay current."

300KB per day is very little for the security gain.

BTW, I'm wondering why this isn't implemented system-wide.

This is old.
#1114531#22
Date:
2025-09-06 20:46:15 UTC
From:
To:
CRLite is not the CA-provided CRL, but a Mozilla operated thing.

Somebody would have to drive an ecosystem-wide adoption. But from a
bit of searching I couldn't find client libraries, or any info on
how non-Mozilla stuff could use it.

Chris