From: Maxime Devos <maximedevos@telenet.be>
To: Philip McGrath <philip@philipmcgrath.com>, guix-devel@gnu.org
Subject: Re: Public key pinning in guix?
Date: Sun, 09 Jan 2022 12:54:48 +0100 [thread overview]
Message-ID: <710662a46157c2f9ec034ea272351cb1860015d8.camel@telenet.be> (raw)
In-Reply-To: <357034c3-44f2-5ec9-e74a-314412ce2a65@philipmcgrath.com>
[-- Attachment #1: Type: text/plain, Size: 6307 bytes --]
Hi,
Philip McGrath schreef op za 08-01-2022 om 11:37 [-0500]:
> This sounds like HTTP Public Key Pinning (HPKP).[1] AIUI, HTTP Public
> Key Pinning was deprecated, and support has been removed from major
> browser engines by January 2020.[2][3][4] While it seemed like a good
> idea for reasons like the ones you list, apparently it not only proved
> very difficult for site administrators to configure, with severe
> consequences for mistakes, it also enabled potential ransomware attacks
> and other bad stuff.[6]
>
> I never followed this feature closely and don't have a strongly-held
> opinion on the merits, but, if the "web platform" has deprecated this
> feature---more concretely, if it is Considered Harmful by sysadmins and
> servers are configured with the expectation that no one does this any
> more---I don't think it would improve reliability for Guix to
> unilaterally revive HPKP.
It does instead sound like HPKP -- however, what I proposed is in some
sense the inverse of HPKP:
Instead of a webserver telling the client to pin a certain key, the
client has pinned a certain key in advance. So pinning is Guix'
responsibility, not the web server's.
What I propose is more close to ‘certificate pinning’ (actually
public key pinning), see e.g.
<https://blogs.fsfe.org/jens.lechtenboerger/2014/03/10/certificate-pinning-with-gnutls-in-the-mess-of-ssltls/>.
Even then, it's a bit different: the certificate of the server must
be correct according to both the root CAs in $SSL_CERT_DIR
AND the pin list.
The sources you referenced listed a few potential problems with HPKP.
Most don't apply to what I propose, and when they do apply, it's at
most a denial of server that can easily be fixed:
* Using HPKP for Evil:
Suppose the attacker tries to perform a RansomPKP attack.
Then they need need to either:
1. Modify the pin list in guix to list their public key.
If an attacker has commit acces, then I think we have
bigger problems.
or
2. Do a MITM (or compromise the web server) to some people
on #guix that have commit access. Tell people on #guix
that the pinned public key is outdated. People on #guix
confirm, and commit the new pinned public key.
The attacker says to #guix -- pay me $large number, or else.
Response #guix -- let's simply revert the pin and inform
relevant authorities.
Attacker: 😥️.
Note that, to do a MITM, the attacker would have to
compromise/corrupt a CA. Public key pinning makes no difference
to the difficulty of compromising the web server. So this attack
would be at least as hard as when guix doesn't do public key pinning.
* Supercookies: the key pins are fixed per commit and the server
cannot tell guix to pin something, so there's no state here,
so no supercookies.
* HPKP Suicide:
Web servers don't set a pin, guix does. And guix can decide to
change a pin whenever it wants. At most, guix might forget to
change the pin to the new public key, but that's easily rectified
when noticed (e.g., if multiple people on #guix notice the same
public key and the committer notices the same public key).
That said, let's not use pins when doing "guix pull",
"guix perform-download" or "guix substitute" because "guix pull"
is rather essential and the guix used as the daemon is rarely
updated -- temporarily breaking "guix refresh", "guix download"
or "guix import" is much less a problem.
* Things about subdomains on [6]: the domain name match must be
exact; a pin for a domain does not imply a pin for subdomains.
From the perspective of guix, domains and subdomains would be
unrelated.
* Does the fact that web browsers deprecated HPKP matter?
I don't think so. E.g. [5] says that
‘However, this exposes as part of the Open Web Platform considerations
that are external to it: specifically, the choice and selection of CAs
is a product-level security decision made by browsers or by OS vendor,
and the choice and use of sub-CAs, cross-signing, and other aspects of
the PKI hierarchy are made independently by CAs.’
I think that "guix download/refresh/import" qualifies as ‘product level’,
or ‘browser’ here, and that Guix qualifies as OS vendor.
I don't think that the bit about sub-CAs, cross-signing, etc. is relevant
here: we pin public keys, not CAs, and the public key pin can be adjusted
whenever the website decided to use another public key -- albeit with
a (hopefully brief?) period where it is temporarily inaccessible to
"guix download/refresh/import".
Also, they suggest using Expect-CT instead. But Expect-CT is less useful:
it's rather complicated, and it only prevents forged certificates from
being unnoticed -- it doesn't actually prevent them from being used AFAICT.
* [4] is just a pointer to [5]
* [3] only tells that HPKP isn't supported anymore. The sources they
quote are mostly [2] and [5], so I won't cover this source individually.
* [2] is mostly saying that HPKP is hard and browsers have been deprecating
HPKP and not telling anything new, but what I propose isn't HPKP and it
seems rather easy and hard to get wrong to me.
* [1] just notes that HPKP is deprecated, it doesn't explain the reasons.
I recommend reading a bit about certificate and public key pinning
(not HPKP!), it is actually a recommended practice for applications that
know in advance which web servers they will contact.
Effectively, what I propose would be sort-of a mini-CA for Guix,
orthogonal to the PKI system.
Greetings,
Maxime
> -Philip
>
> [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
> [2]: https://scotthelme.co.uk/hpkp-is-no-more/
> [3]:
> http://web.archive.org/web/20200618234723/https://www.fxsitecompat.dev/en-CA/docs/2019/http-public-key-pinning-is-no-longer-supported/
> [4]: https://chromestatus.com/feature/5903385005916160
> [5]:
> https://groups.google.com/a/chromium.org/g/blink-dev/c/he9tr7p3rZ8/m/eNMwKPmUBAAJ
> [6]: https://scotthelme.co.uk/using-security-features-to-do-bad-things/
>
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]
next prev parent reply other threads:[~2022-01-09 11:55 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-07 21:24 Public key pinning in guix? Maxime Devos
2022-01-08 16:37 ` Philip McGrath
2022-01-09 11:54 ` Maxime Devos [this message]
2022-01-09 13:57 ` Philip McGrath
2022-01-09 15:29 ` Maxime Devos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=710662a46157c2f9ec034ea272351cb1860015d8.camel@telenet.be \
--to=maximedevos@telenet.be \
--cc=guix-devel@gnu.org \
--cc=philip@philipmcgrath.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).