How to Verify Server Hostname with Wget on Ubuntu

This article explains how to securely download files using the wget command on Ubuntu by verifying the server’s identity. It focuses on the specific command-line option required to enforce hostname checking during HTTPS connections, ensuring data integrity and protection against man-in-the-middle attacks.

To download a file and verify the server’s hostname using wget, you should use the –check-hostname option. This flag forces wget to verify that the server’s hostname matches the common name (CN) or subject alternative name (SAN) in the SSL/TLS certificate presented by the server.

Here is the basic syntax for using this option:

wget --check-hostname https://example.com/file.zip

While modern versions of wget often enable SSL verification by default when using HTTPS URLs, explicitly adding this flag ensures that the connection is terminated if the hostname verification fails. This is critical for security when scripting automated downloads or handling sensitive data.

If the hostname does not match the certificate, wget will refuse to download the file and display an error message. This prevents attackers from intercepting the connection using a valid certificate issued for a different domain. Always prefer HTTPS URLs alongside this option to guarantee encrypted transmission and authenticated server identity.