information leak with ocsp validation
we discovered that wget2 implements ocsp verification (we noticed that because some firewall was blocking tcp fast open connections which is also used by wget2). wget2 tries to validate the chain of certificates and sends requests to ocsp responders, with the certificate serial in clear text. Anyone sniffing the network is able to catch the serial number and search it (eg over https://crt.sh/) and link it with the client IP. This is an issue with the ocsp protocol (see https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns) that is fixed with the usage of ocsp stapling but.. wget will fall back to contacting the ocsp responder directly.
I think the safe default for wget should be to never contact the ocsp responder itself.
Thanks for your work on this great tool!