From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 04 09:28:24 2020 Received: (at submit) by debbugs.gnu.org; 4 Feb 2020 14:28:24 +0000 Received: from localhost ([127.0.0.1]:42995 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iyzBf-0000gG-Sx for submit@debbugs.gnu.org; Tue, 04 Feb 2020 09:28:24 -0500 Received: from lists.gnu.org ([209.51.188.17]:37690) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iyzBe-0000g9-DX for submit@debbugs.gnu.org; Tue, 04 Feb 2020 09:28:22 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:60394) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iyzBd-0005Vi-Eb for bug-guix@gnu.org; Tue, 04 Feb 2020 09:28:22 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iyzBc-0001Zj-F6 for bug-guix@gnu.org; Tue, 04 Feb 2020 09:28:21 -0500 Received: from mail.choca.pics ([2001:910:1410:500::1]:44948) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iyzBc-0001TK-99 for bug-guix@gnu.org; Tue, 04 Feb 2020 09:28:20 -0500 Received: from localhost (localhost.localdomain [IPv6:::1]) by mail.choca.pics (Postfix) with ESMTP id E5E64181A5046 for ; Tue, 4 Feb 2020 15:28:17 +0100 (CET) Received: from mail.choca.pics ([IPv6:::1]) by localhost (mail.choca.pics [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id 1uMx82xi5H9s for ; Tue, 4 Feb 2020 15:28:17 +0100 (CET) Received: from localhost (localhost.localdomain [IPv6:::1]) by mail.choca.pics (Postfix) with ESMTP id 6B3511819D891 for ; Tue, 4 Feb 2020 15:28:17 +0100 (CET) X-Virus-Scanned: amavisd-new at choca.pics Received: from mail.choca.pics ([IPv6:::1]) by localhost (mail.choca.pics [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id dOyDdx_2Wz_X for ; Tue, 4 Feb 2020 15:28:17 +0100 (CET) Received: from luz4 (lfbn-ren-1-1414-74.w90-27.abo.wanadoo.fr [90.27.133.74]) by mail.choca.pics (Postfix) with ESMTPSA id 2D3171817352F for ; Tue, 4 Feb 2020 15:28:17 +0100 (CET) From: Damien Cassou To: bug-guix@gnu.org Subject: On the use of HTTPS for substitute server Date: Tue, 04 Feb 2020 15:28:16 +0100 Message-ID: <87v9ombf5r.fsf@cassou.me> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:910:1410:500::1 X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) In the manual, section Package Management>Substitutes, I can read: > Substitute URLs can be either HTTP or HTTPS. HTTPS is recommended > because communications are encrypted; conversely, using HTTP makes all > communications visible to an eavesdropper, who could use the information > gathered to determine, for instance, whether your system has unpatched > security vulnerabilities. A few pages later, I read: > When using HTTPS, the server=E2=80=99s X.509 certificate is _not_ validat= ed > (in other words, the server is not authenticated), contrary to what > HTTPS clients such as Web browsers usually do. This is because Guix > authenticates substitute information itself, as explained above, which > is what we care about (whereas X.509 certificates are about > authenticating bindings between domain names and public keys.) Doesn't the second paragraph contradict a bit the first? It seems to me that not validating a server's certificate means the client is vulnerable to a MITM attack where the attacker would know "whether your system has unpatched security vulnerabilities". --=20 Damien Cassou "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 04 18:32:59 2020 Received: (at 39419) by debbugs.gnu.org; 4 Feb 2020 23:32:59 +0000 Received: from localhost ([127.0.0.1]:44933 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iz7gg-0007SL-L4 for submit@debbugs.gnu.org; Tue, 04 Feb 2020 18:32:58 -0500 Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:47947) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iz7ge-0007S6-Hd for 39419@debbugs.gnu.org; Tue, 04 Feb 2020 18:32:57 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 815AC4AB; Tue, 4 Feb 2020 18:32:50 -0500 (EST) Received: from imap22 ([10.202.2.72]) by compute4.internal (MEProxy); Tue, 04 Feb 2020 18:32:50 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=mesmtp; bh=Sg KVhc4FPdAoZZpDJj07qwGTdLV0T8snyPinkR5TN7A=; b=DUGfa6YmFCNxikGBTf HE+kk5Z2K6oDyKAt5tGl2hn4U7UU4PFTsDv5vkLE5ooEX3UZdE8F4yF7YJ1Gwvl9 GF52skgvUi5taGlQm3Q3xi4CxqyTA6XOZJ0aKC98S4VvgYXkLYS4rN9IXt4erpeb WQX4rybLiQeG2JmicDbQzGFUE= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=SgKVhc4FPdAoZZpDJj07qwGTdLV0T8snyPinkR5TN 7A=; b=vIZNFKbfwFgWcFWPWNIJQ1dpgjCJXEHh9BVJd2Rx9K9lfpbOFB4sNTu6H a97COdcdh+VKjvRXscdWL2zcisnoSmmNQY4alSjwb7JrqmBIwaEp6/LWdwWHKfPD H/9d5B4X42YyioeJIbxK3cE2A9Jg8feRtInaY5p4V8gsb/xmdyB8LkVGkRH4fHod Utp2+zhcdW5UNqvXs/u2UZApx/BgTVNoKxZxEkRDb1i/AUdIarkfshPxVxkuCZ1b h/tUUubbJ4pKyg2A6e55xcvRqT/18kC76uMA7n9z1MS/jfew9qV4lSWkMjaLf8aE TSg3z/8U6tnChMEivGRbR3mxWIibg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrhedtgdduvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdfnvgho ucfhrghmuhhlrghrihdfuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuffhomh grihhnpehgnhhurdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehm rghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 53D926680064; Tue, 4 Feb 2020 18:32:49 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.1.7-802-g7a41c81-fmstable-20200203v1 Mime-Version: 1.0 Message-Id: <2c0b7fb7-02af-4920-845e-01ac63a8c831@www.fastmail.com> In-Reply-To: <87v9ombf5r.fsf@cassou.me> References: <87v9ombf5r.fsf@cassou.me> Date: Tue, 04 Feb 2020 18:32:29 -0500 From: "Leo Famulari" To: "Damien Cassou" , 39419@debbugs.gnu.org Subject: Re: bug#39419: On the use of HTTPS for substitute server Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 39419 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Tue, Feb 4, 2020, at 09:28, Damien Cassou wrote: > In the manual, section Package Management>Substitutes, I can read: >=20 > > Substitute URLs can be either HTTP or HTTPS. HTTPS is recommended > > because communications are encrypted; conversely, using HTTP makes a= ll > > communications visible to an eavesdropper, who could use the informa= tion > > gathered to determine, for instance, whether your system has unpatch= ed > > security vulnerabilities. >=20 > A few pages later, I read: >=20 > > When using HTTPS, the server=E2=80=99s X.509 certificate is _not_ va= lidated > > (in other words, the server is not authenticated), contrary to what > > HTTPS clients such as Web browsers usually do. This is because Guix= > > authenticates substitute information itself, as explained above, whi= ch > > is what we care about (whereas X.509 certificates are about > > authenticating bindings between domain names and public keys.) >=20 > Doesn't the second paragraph contradict a bit the first? It seems to m= e > that not validating a server's certificate means the client is > vulnerable to a MITM attack where the attacker would know "whether you= r > system has unpatched security vulnerabilities". When substituting over HTTPS, the communication session with the remote server is encrypted using TLS, as expected. It is guarded against passive eavesdropping. However, the certificate itself is not validated against the X.509 PKI (Mozilla's). So, someone who could MITM as could use their own X.509 certificate and pretend to be that server. With this capability, they could send you substitutes that your Guix would then authenticate as having been signed by the official Guix substitute signing key. Guix would also check that it was the substitute= it had asked for. So, unless we have missed something, the worst case is= you get the right data from the wrong server. Guix's security model already supports mirroring of substitutes by arbitrary remote servers. That is, the security model is about signing substitutes, not authenticating remote servers. So, I think that it's not very important to verify TLS certs here, and not needing a working certificate store for substitutes improves reliability. The relevant code for the latest Guix release is here: https://git.savannah.gnu.org/cgit/guix.git/tree/guix/scripts/substitute.= scm=3D ?h=3D3Dv1.0.1#n669 From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 05 05:34:54 2020 Received: (at 39419) by debbugs.gnu.org; 5 Feb 2020 10:34:54 +0000 Received: from localhost ([127.0.0.1]:45158 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1izI1G-00087G-F4 for submit@debbugs.gnu.org; Wed, 05 Feb 2020 05:34:54 -0500 Received: from mail.choca.pics ([80.67.172.235]:58442) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1izI1F-000877-CH for 39419@debbugs.gnu.org; Wed, 05 Feb 2020 05:34:53 -0500 Received: from localhost (localhost.localdomain [IPv6:::1]) by mail.choca.pics (Postfix) with ESMTP id 43BF71819D8B5; Wed, 5 Feb 2020 11:34:51 +0100 (CET) Received: from mail.choca.pics ([IPv6:::1]) by localhost (mail.choca.pics [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id QNh7iH-PSZV4; Wed, 5 Feb 2020 11:34:50 +0100 (CET) Received: from localhost (localhost.localdomain [IPv6:::1]) by mail.choca.pics (Postfix) with ESMTP id A9A911819D8B0; Wed, 5 Feb 2020 11:34:50 +0100 (CET) X-Virus-Scanned: amavisd-new at choca.pics Received: from mail.choca.pics ([IPv6:::1]) by localhost (mail.choca.pics [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id 4q7xwcgpTSrd; Wed, 5 Feb 2020 11:34:50 +0100 (CET) Received: from luz4 (lfbn-ren-1-1414-74.w90-27.abo.wanadoo.fr [90.27.133.74]) by mail.choca.pics (Postfix) with ESMTPSA id 6B3BB18195793; Wed, 5 Feb 2020 11:34:50 +0100 (CET) From: Damien Cassou To: Leo Famulari , 39419@debbugs.gnu.org Subject: Re: bug#39419: On the use of HTTPS for substitute server In-Reply-To: <2c0b7fb7-02af-4920-845e-01ac63a8c831@www.fastmail.com> References: <87v9ombf5r.fsf@cassou.me> <2c0b7fb7-02af-4920-845e-01ac63a8c831@www.fastmail.com> Date: Wed, 05 Feb 2020 11:34:49 +0100 Message-ID: <877e11gw52.fsf@cassou.me> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 39419 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) "Leo Famulari" writes: > So, someone who could MITM as could use their > own X.509 certificate and pretend to be that server. IIUC, you agree with me that an attacker can't change the content of packages but can inspect what a user installs. This seems to contradict this paragraph: > HTTPS is recommended because communications are encrypted; conversely, > using HTTP makes all communications visible to an eavesdropper, who > could use the information gathered to determine, for instance, whether > your system has unpatched security vulnerabilities. If you believe the text is good as it is, please just ignore me and close the ticket. Thank you so much for Guix. -- Damien Cassou "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 05 13:39:42 2020 Received: (at 39419-done) by debbugs.gnu.org; 5 Feb 2020 18:39:42 +0000 Received: from localhost ([127.0.0.1]:46713 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1izPaP-0002oV-Pu for submit@debbugs.gnu.org; Wed, 05 Feb 2020 13:39:42 -0500 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:53141) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1izPaN-0002oH-Dw for 39419-done@debbugs.gnu.org; Wed, 05 Feb 2020 13:39:40 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 572D4778; Wed, 5 Feb 2020 13:39:32 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Wed, 05 Feb 2020 13:39:32 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=RiZH3aMbT/ZkIZbMr8eylN6h CU6QP0XVLA5yU1kAQ84=; b=OvQS5VSwcqYe9toM99c5fcR+bkRBj9IqjvG1Zyn+ bqhXdeixhwZrzOQxgaLLEG03lHKlKBvWXcuOHzcfLW3Rl01qiVjhVSZUyAm0BaAz AaXScXKZ6T33p8fyj20snl/huhtm2RRTj0LffG7MZI66MDc+TiEfbpZSOonGnDCx PIM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=RiZH3a MbT/ZkIZbMr8eylN6hCU6QP0XVLA5yU1kAQ84=; b=PT7vqu2UNA1X+44IFTTIrD 5vNBgOJMxGugeEKveXibDQZVlbpgKB3KhpTCVtOLH9UiiHsVys6SCUuYpK4yVBzS rshpLHl3vnDqnejxCzlLU2fn1Z+mpJ48fDhZeLh7bLQtUUKGyfmwcNK9PmoyQz2b NIO7JY442WNbZoEAg13lrvPL8d8uxRQUAV/uXVRMuA38ZGND4uXIXexuBNRgPxpV sZYJyTvry1KiUOB5VSP3L32K2XaFqOcMRkANx66WeZNew258FcyFlIzLJXD3Hfbk LKJM1uQKEUBPEmbScUpfdnqYN42pzO/MUO80+UslAcCynSOmJ5nEQ8sKpYbxj8hg == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrhedugdduuddtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehttdertddttddvnecuhfhrohhmpefnvghoucfh rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucffohhmrghinh epghhnuhdrohhrghenucfkphepjeeirdduvdegrddufeekrdeifeenucevlhhushhtvghr ufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghosehfrghmuhhlrghrih drnhgrmhgv X-ME-Proxy: Received: from localhost (c-76-124-138-63.hsd1.pa.comcast.net [76.124.138.63]) by mail.messagingengine.com (Postfix) with ESMTPA id 4074C30606FB; Wed, 5 Feb 2020 13:39:31 -0500 (EST) Date: Wed, 5 Feb 2020 13:39:24 -0500 From: Leo Famulari To: Damien Cassou Subject: Re: bug#39419: On the use of HTTPS for substitute server Message-ID: <20200205183924.GA11535@jasmine.lan> References: <87v9ombf5r.fsf@cassou.me> <2c0b7fb7-02af-4920-845e-01ac63a8c831@www.fastmail.com> <877e11gw52.fsf@cassou.me> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <877e11gw52.fsf@cassou.me> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 39419-done Cc: 39419-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Wed, Feb 05, 2020 at 11:34:49AM +0100, Damien Cassou wrote: > "Leo Famulari" writes: > > So, someone who could MITM as could use their > > own X.509 certificate and pretend to be that server. > > IIUC, you agree with me that an attacker can't change the content of > packages but can inspect what a user installs. This seems to contradict > this paragraph: > > > HTTPS is recommended because communications are encrypted; conversely, > > using HTTP makes all communications visible to an eavesdropper, who > > could use the information gathered to determine, for instance, whether > > your system has unpatched security vulnerabilities. It is somewhat contradictory. The server that sends your substitutes knows what substitutes you request, by definition. How important is that information, and what tradeoffs are we willing to make to protect it? Guix protects this information from passive eavesdroppers but not an active MITM. The real important thing is, what substitutes are you requesting? This is based on your Guix code, and we do authenticate the server you request that from (`guix pull`). The next step is to start using code-signing there. This is a work in progress. > If you believe the text is good as it is, please just ignore me and > close the ticket. Okay, closed. Please let us know if you think the text can be improved. From unknown Thu Jun 19 14:12:48 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 05 Mar 2020 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator