Hi, Philip McGrath schreef op za 08-01-2022 om 11:37 [-0500]: > This sounds like HTTP Public Key Pinning (HPKP).[1] AIUI, HTTP Public > Key Pinning was deprecated, and support has been removed from major > browser engines by January 2020.[2][3][4] While it seemed like a good > idea for reasons like the ones you list, apparently it not only proved > very difficult for site administrators to configure, with severe > consequences for mistakes, it also enabled potential ransomware attacks > and other bad stuff.[6] > > I never followed this feature closely and don't have a strongly-held > opinion on the merits, but, if the "web platform" has deprecated this > feature---more concretely, if it is Considered Harmful by sysadmins and > servers are configured with the expectation that no one does this any > more---I don't think it would improve reliability for Guix to > unilaterally revive HPKP. It does instead sound like HPKP -- however, what I proposed is in some sense the inverse of HPKP: Instead of a webserver telling the client to pin a certain key, the client has pinned a certain key in advance. So pinning is Guix' responsibility, not the web server's. What I propose is more close to ‘certificate pinning’ (actually public key pinning), see e.g. . Even then, it's a bit different: the certificate of the server must be correct according to both the root CAs in $SSL_CERT_DIR AND the pin list. The sources you referenced listed a few potential problems with HPKP. Most don't apply to what I propose, and when they do apply, it's at most a denial of server that can easily be fixed: * Using HPKP for Evil: Suppose the attacker tries to perform a RansomPKP attack. Then they need need to either: 1. Modify the pin list in guix to list their public key. If an attacker has commit acces, then I think we have bigger problems. or 2. Do a MITM (or compromise the web server) to some people on #guix that have commit access. Tell people on #guix that the pinned public key is outdated. People on #guix confirm, and commit the new pinned public key. The attacker says to #guix -- pay me $large number, or else. Response #guix -- let's simply revert the pin and inform relevant authorities. Attacker: 😥️. Note that, to do a MITM, the attacker would have to compromise/corrupt a CA. Public key pinning makes no difference to the difficulty of compromising the web server. So this attack would be at least as hard as when guix doesn't do public key pinning. * Supercookies: the key pins are fixed per commit and the server cannot tell guix to pin something, so there's no state here, so no supercookies. * HPKP Suicide: Web servers don't set a pin, guix does. And guix can decide to change a pin whenever it wants. At most, guix might forget to change the pin to the new public key, but that's easily rectified when noticed (e.g., if multiple people on #guix notice the same public key and the committer notices the same public key). That said, let's not use pins when doing "guix pull", "guix perform-download" or "guix substitute" because "guix pull" is rather essential and the guix used as the daemon is rarely updated -- temporarily breaking "guix refresh", "guix download" or "guix import" is much less a problem. * Things about subdomains on [6]: the domain name match must be exact; a pin for a domain does not imply a pin for subdomains. From the perspective of guix, domains and subdomains would be unrelated. * Does the fact that web browsers deprecated HPKP matter? I don't think so. E.g. [5] says that ‘However, this exposes as part of the Open Web Platform considerations that are external to it: specifically, the choice and selection of CAs is a product-level security decision made by browsers or by OS vendor, and the choice and use of sub-CAs, cross-signing, and other aspects of the PKI hierarchy are made independently by CAs.’ I think that "guix download/refresh/import" qualifies as ‘product level’, or ‘browser’ here, and that Guix qualifies as OS vendor. I don't think that the bit about sub-CAs, cross-signing, etc. is relevant here: we pin public keys, not CAs, and the public key pin can be adjusted whenever the website decided to use another public key -- albeit with a (hopefully brief?) period where it is temporarily inaccessible to "guix download/refresh/import". Also, they suggest using Expect-CT instead. But Expect-CT is less useful: it's rather complicated, and it only prevents forged certificates from being unnoticed -- it doesn't actually prevent them from being used AFAICT. * [4] is just a pointer to [5] * [3] only tells that HPKP isn't supported anymore. The sources they quote are mostly [2] and [5], so I won't cover this source individually. * [2] is mostly saying that HPKP is hard and browsers have been deprecating HPKP and not telling anything new, but what I propose isn't HPKP and it seems rather easy and hard to get wrong to me. * [1] just notes that HPKP is deprecated, it doesn't explain the reasons. I recommend reading a bit about certificate and public key pinning (not HPKP!), it is actually a recommended practice for applications that know in advance which web servers they will contact. Effectively, what I propose would be sort-of a mini-CA for Guix, orthogonal to the PKI system. Greetings, Maxime > -Philip > > [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning > [2]: https://scotthelme.co.uk/hpkp-is-no-more/ > [3]: > http://web.archive.org/web/20200618234723/https://www.fxsitecompat.dev/en-CA/docs/2019/http-public-key-pinning-is-no-longer-supported/ > [4]: https://chromestatus.com/feature/5903385005916160 > [5]: > https://groups.google.com/a/chromium.org/g/blink-dev/c/he9tr7p3rZ8/m/eNMwKPmUBAAJ > [6]: https://scotthelme.co.uk/using-security-features-to-do-bad-things/ >