From: "Leo Famulari" <leo@famulari.name>
To: Damien Cassou <damien@cassou.me>, 39419@debbugs.gnu.org
Subject: bug#39419: On the use of HTTPS for substitute server
Date: Tue, 04 Feb 2020 18:32:29 -0500 [thread overview]
Message-ID: <2c0b7fb7-02af-4920-845e-01ac63a8c831@www.fastmail.com> (raw)
In-Reply-To: <87v9ombf5r.fsf@cassou.me>
On Tue, Feb 4, 2020, at 09:28, Damien Cassou wrote:
> In the manual, section Package Management>Substitutes, I can read:
>
> > Substitute URLs can be either HTTP or HTTPS. HTTPS is recommended
> > because communications are encrypted; conversely, using HTTP makes all
> > communications visible to an eavesdropper, who could use the information
> > gathered to determine, for instance, whether your system has unpatched
> > security vulnerabilities.
>
> A few pages later, I read:
>
> > When using HTTPS, the server’s X.509 certificate is _not_ validated
> > (in other words, the server is not authenticated), contrary to what
> > HTTPS clients such as Web browsers usually do. This is because Guix
> > authenticates substitute information itself, as explained above, which
> > is what we care about (whereas X.509 certificates are about
> > authenticating bindings between domain names and public keys.)
>
> Doesn't the second paragraph contradict a bit the first? It seems to me
> that not validating a server's certificate means the client is
> vulnerable to a MITM attack where the attacker would know "whether your
> system has unpatched security vulnerabilities".
When substituting over HTTPS, the communication session with the remote
server is encrypted using TLS, as expected. It is guarded against
passive eavesdropping. However, the certificate itself is not validated
against the X.509 PKI (Mozilla's).
So, someone who could MITM as <https://ci.guix.gnu.org> could use their
own X.509 certificate and pretend to be that server.
With this capability, they could send you substitutes that your Guix
would then authenticate as having been signed by the official Guix
substitute signing key. Guix would also check that it was the substitute
it had asked for. So, unless we have missed something, the worst case is
you get the right data from the wrong server.
Guix's security model already supports mirroring of substitutes by
arbitrary remote servers. That is, the security model is about signing
substitutes, not authenticating remote servers. So, I think that it's
not very important to verify TLS certs here, and not needing a working
certificate store for substitutes improves reliability.
The relevant code for the latest Guix release is here:
https://git.savannah.gnu.org/cgit/guix.git/tree/guix/scripts/substitute.scm=
?h=3Dv1.0.1#n669
next prev parent reply other threads:[~2020-02-04 23:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-04 14:28 bug#39419: On the use of HTTPS for substitute server Damien Cassou
2020-02-04 23:32 ` Leo Famulari [this message]
2020-02-05 10:34 ` Damien Cassou
2020-02-05 18:39 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2c0b7fb7-02af-4920-845e-01ac63a8c831@www.fastmail.com \
--to=leo@famulari.name \
--cc=39419@debbugs.gnu.org \
--cc=damien@cassou.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).