GNU bug report logs - #27437
Source downloader accepts X.509 certificate for incorrect domain

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Wed, 21 Jun 2017 06:19:01 UTC

Severity: normal

Done: Ricardo Wurmus <rekado <at> elephly.net>

Bug is archived. No further changes may be made.

Full log

Message #11 received at 27437 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 27437 <at> debbugs.gnu.org
Subject: Re: bug#27437: Source downloader accepts X.509 certificate for
 incorrect domain
Date: Thu, 22 Jun 2017 00:09:01 -0400

[Message part 1 (text/plain, inline)]
On Wed, Jun 21, 2017 at 12:50:15PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo <at> famulari.name> skribis:
> > While working on some package updates, I found that the source code
> > downloader will accept an X.509 certificate for an incorrect site.

[...]

> IOW, since we’re checking the integrity of the tarball anyway, and we
> assume developers checked its authenticity when writing the recipe, then
> who cares whether downloads.xiph.org has a valid certificate?
> 
> Does it make sense?

Yeah, I think it makes sense if checking the certificates would add too
much complexity for what I think is a minor benefit: protecting against
exploitation of bugs by MITM (but not xiph.org) in whatever code runs
after the connection is initiated and before the hash is calculated.

Perhaps a MITM could send a huge file and fill up the disk or something
like that.

Closing the bug, but more thoughts are welcome!

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 304 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.