From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Date: Thu, 22 Jun 2017 00:09:01 -0400 Message-ID: <20170622040901.GA8700@jasmine.lan> References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35089) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNtRW-0007zE-Ke for bug-guix@gnu.org; Thu, 22 Jun 2017 00:10:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNtRS-0001vU-M0 for bug-guix@gnu.org; Thu, 22 Jun 2017 00:10:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:57823) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dNtRS-0001vK-IS for bug-guix@gnu.org; Thu, 22 Jun 2017 00:10:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dNtRS-0004hD-6m for bug-guix@gnu.org; Thu, 22 Jun 2017 00:10:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <87lgolipi0.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 27437@debbugs.gnu.org --a8Wt8u1KmwUX3Y2C Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 21, 2017 at 12:50:15PM +0200, Ludovic Court=C3=A8s wrote: > Leo Famulari skribis: > > While working on some package updates, I found that the source code > > downloader will accept an X.509 certificate for an incorrect site. [...] > IOW, since we=E2=80=99re checking the integrity of the tarball anyway, an= d we > assume developers checked its authenticity when writing the recipe, then > who cares whether downloads.xiph.org has a valid certificate? >=20 > Does it make sense? Yeah, I think it makes sense if checking the certificates would add too much complexity for what I think is a minor benefit: protecting against exploitation of bugs by MITM (but not xiph.org) in whatever code runs after the connection is initiated and before the hash is calculated. Perhaps a MITM could send a huge file and fill up the disk or something like that. Closing the bug, but more thoughts are welcome! --a8Wt8u1KmwUX3Y2C Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllLQtoACgkQJkb6MLrK fwhMyxAApxsRED537lydYJgSiFpK3TVENAoDDZB0fouwVJWdANOIrS5KM6yJiJg7 vKa3i+avqIWizndZd3qE9eyYDOV78FO6l2pI2Q4XejYMDHlMx/XH+TM9XWGSb8mC EfUV3f7JIeq6EJlfbLEk0y3Hv9ZrnMQynhWNtul1HVZKxa+xCw8sgJ/pIGVaCzsI zDtfvpD0cwPW8Fd8v0jZDed95sxwqtManSRElTbXyrP4diKnoPbC39xRKLXdLAg5 0YSBs710qZi2G6GInLYlPm/bqJqDd7//IEsAMyRfgsN1YOKe2uUVkJqpuPj0TitH 1WRyV9Gs0UJNyqJKB4m79jG39UTFwHjPZHXAezb+9xVmatUFzUfkRbmwJYG8GpQy OHcacB+GsH6CoVQ5heKpNVdD5rX/01709Ml7BFL5NAkz7k7Bh4HeKAjlGlucV2Jk QHwvJzOlgs3nbron+CRz6VcXp/iB8p54YsWeR3noFcEteSlDAQP8IZwuM9W5Obaj JH2cbzHoKys1spcHmLRjlGj+Z4IXPcny1wrRu3VNFhdc/y0qM5GA+GR1erejdC5q cg0ulF9uubojBikpMmkRVbVX0A2x56azsLXntIma2RCSDiq/aJcyF7LaIMoQLSJ+ mGwg2vt3Sd5ijwq+ZhnTEKTDFqu4N5uoMVF7M+VrJd9FZaarl8Y= =+guX -----END PGP SIGNATURE----- --a8Wt8u1KmwUX3Y2C--