* bug#39419: On the use of HTTPS for substitute server @ 2020-02-04 14:28 Damien Cassou 2020-02-04 23:32 ` Leo Famulari 0 siblings, 1 reply; 4+ messages in thread From: Damien Cassou @ 2020-02-04 14:28 UTC (permalink / raw) To: 39419 In the manual, section Package Management>Substitutes, I can read: > Substitute URLs can be either HTTP or HTTPS. HTTPS is recommended > because communications are encrypted; conversely, using HTTP makes all > communications visible to an eavesdropper, who could use the information > gathered to determine, for instance, whether your system has unpatched > security vulnerabilities. A few pages later, I read: > When using HTTPS, the server’s X.509 certificate is _not_ validated > (in other words, the server is not authenticated), contrary to what > HTTPS clients such as Web browsers usually do. This is because Guix > authenticates substitute information itself, as explained above, which > is what we care about (whereas X.509 certificates are about > authenticating bindings between domain names and public keys.) Doesn't the second paragraph contradict a bit the first? It seems to me that not validating a server's certificate means the client is vulnerable to a MITM attack where the attacker would know "whether your system has unpatched security vulnerabilities". -- Damien Cassou "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#39419: On the use of HTTPS for substitute server 2020-02-04 14:28 bug#39419: On the use of HTTPS for substitute server Damien Cassou @ 2020-02-04 23:32 ` Leo Famulari 2020-02-05 10:34 ` Damien Cassou 0 siblings, 1 reply; 4+ messages in thread From: Leo Famulari @ 2020-02-04 23:32 UTC (permalink / raw) To: Damien Cassou, 39419 On Tue, Feb 4, 2020, at 09:28, Damien Cassou wrote: > In the manual, section Package Management>Substitutes, I can read: > > > Substitute URLs can be either HTTP or HTTPS. HTTPS is recommended > > because communications are encrypted; conversely, using HTTP makes all > > communications visible to an eavesdropper, who could use the information > > gathered to determine, for instance, whether your system has unpatched > > security vulnerabilities. > > A few pages later, I read: > > > When using HTTPS, the server’s X.509 certificate is _not_ validated > > (in other words, the server is not authenticated), contrary to what > > HTTPS clients such as Web browsers usually do. This is because Guix > > authenticates substitute information itself, as explained above, which > > is what we care about (whereas X.509 certificates are about > > authenticating bindings between domain names and public keys.) > > Doesn't the second paragraph contradict a bit the first? It seems to me > that not validating a server's certificate means the client is > vulnerable to a MITM attack where the attacker would know "whether your > system has unpatched security vulnerabilities". When substituting over HTTPS, the communication session with the remote server is encrypted using TLS, as expected. It is guarded against passive eavesdropping. However, the certificate itself is not validated against the X.509 PKI (Mozilla's). So, someone who could MITM as <https://ci.guix.gnu.org> could use their own X.509 certificate and pretend to be that server. With this capability, they could send you substitutes that your Guix would then authenticate as having been signed by the official Guix substitute signing key. Guix would also check that it was the substitute it had asked for. So, unless we have missed something, the worst case is you get the right data from the wrong server. Guix's security model already supports mirroring of substitutes by arbitrary remote servers. That is, the security model is about signing substitutes, not authenticating remote servers. So, I think that it's not very important to verify TLS certs here, and not needing a working certificate store for substitutes improves reliability. The relevant code for the latest Guix release is here: https://git.savannah.gnu.org/cgit/guix.git/tree/guix/scripts/substitute.scm= ?h=3Dv1.0.1#n669 ^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#39419: On the use of HTTPS for substitute server 2020-02-04 23:32 ` Leo Famulari @ 2020-02-05 10:34 ` Damien Cassou 2020-02-05 18:39 ` Leo Famulari 0 siblings, 1 reply; 4+ messages in thread From: Damien Cassou @ 2020-02-05 10:34 UTC (permalink / raw) To: Leo Famulari, 39419 "Leo Famulari" <leo@famulari.name> writes: > So, someone who could MITM as <https://ci.guix.gnu.org> could use their > own X.509 certificate and pretend to be that server. IIUC, you agree with me that an attacker can't change the content of packages but can inspect what a user installs. This seems to contradict this paragraph: > HTTPS is recommended because communications are encrypted; conversely, > using HTTP makes all communications visible to an eavesdropper, who > could use the information gathered to determine, for instance, whether > your system has unpatched security vulnerabilities. If you believe the text is good as it is, please just ignore me and close the ticket. Thank you so much for Guix. -- Damien Cassou "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill ^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#39419: On the use of HTTPS for substitute server 2020-02-05 10:34 ` Damien Cassou @ 2020-02-05 18:39 ` Leo Famulari 0 siblings, 0 replies; 4+ messages in thread From: Leo Famulari @ 2020-02-05 18:39 UTC (permalink / raw) To: Damien Cassou; +Cc: 39419-done On Wed, Feb 05, 2020 at 11:34:49AM +0100, Damien Cassou wrote: > "Leo Famulari" <leo@famulari.name> writes: > > So, someone who could MITM as <https://ci.guix.gnu.org> could use their > > own X.509 certificate and pretend to be that server. > > IIUC, you agree with me that an attacker can't change the content of > packages but can inspect what a user installs. This seems to contradict > this paragraph: > > > HTTPS is recommended because communications are encrypted; conversely, > > using HTTP makes all communications visible to an eavesdropper, who > > could use the information gathered to determine, for instance, whether > > your system has unpatched security vulnerabilities. It is somewhat contradictory. The server that sends your substitutes knows what substitutes you request, by definition. How important is that information, and what tradeoffs are we willing to make to protect it? Guix protects this information from passive eavesdroppers but not an active MITM. The real important thing is, what substitutes are you requesting? This is based on your Guix code, and we do authenticate the server you request that from (`guix pull`). The next step is to start using code-signing there. This is a work in progress. > If you believe the text is good as it is, please just ignore me and > close the ticket. Okay, closed. Please let us know if you think the text can be improved. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-02-05 18:40 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-02-04 14:28 bug#39419: On the use of HTTPS for substitute server Damien Cassou 2020-02-04 23:32 ` Leo Famulari 2020-02-05 10:34 ` Damien Cassou 2020-02-05 18:39 ` Leo Famulari
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).