Control: severity -1 normal On Sat, Sep 06, 2025 at 05:56:49PM +0200, Vincent Lefevre wrote: > Package: wget > Version: 1.25.0-2 > Severity: grave > Tags: security > Justification: user security hole > X-Debbugs-Cc: Debian Security Team <[email protected]> > > "wget https://payment-web.mercanet.bnpparibas.net/payment"; does > a download without an error while the certificate has been revoked: > > Indeed, Firefox says: > Error code: SEC_ERROR_REVOKED_CERTIFICATE
Not the maintainer, but I'll chime in anyway. Certificate revocation as designed and implemented is mostly incompatible with the modern Internet. Some browsers somewhat get around this by relying on their motherships internet services and doing an only query for "possible security threats". However, neither GNU wget authors or Debian operate such services TTBOMK and I would expect people to complain loudly about these being a privacy violation. The classic option of using OCSP has been a) mostly turned off in browsers and b) is currently being phased out by all CAs. A tool like wget is not in the position to fetch CRLs from all possibly involved CAs for each request it makes. These CRLs are unweildly in size, making this completely impractical. For some background you can read https://letsencrypt.org/2022/09/07/new-life-for-crls Best, Chris
