GNU bug report logs - #39419
On the use of HTTPS for substitute server

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Damien Cassou <damien <at> cassou.me>
Subject: bug#39419: closed (Re: bug#39419: On the use of HTTPS for
 substitute server)
Date: Wed, 05 Feb 2020 18:40:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#39419: On the use of HTTPS for substitute server

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 39419 <at> debbugs.gnu.org.

-- 
39419: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=39419
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Leo Famulari <leo <at> famulari.name>
To: Damien Cassou <damien <at> cassou.me>
Cc: 39419-done <at> debbugs.gnu.org
Subject: Re: bug#39419: On the use of HTTPS for substitute server
Date: Wed, 5 Feb 2020 13:39:24 -0500

On Wed, Feb 05, 2020 at 11:34:49AM +0100, Damien Cassou wrote:
> "Leo Famulari" <leo <at> famulari.name> writes:
> > So, someone who could MITM as <https://ci.guix.gnu.org> could use their
> > own X.509 certificate and pretend to be that server.
> 
> IIUC, you agree with me that an attacker can't change the content of
> packages but can inspect what a user installs. This seems to contradict
> this paragraph:
> 
> > HTTPS is recommended because communications are encrypted; conversely,
> > using HTTP makes all communications visible to an eavesdropper, who
> > could use the information gathered to determine, for instance, whether
> > your system has unpatched security vulnerabilities.

It is somewhat contradictory.

The server that sends your substitutes knows what substitutes you
request, by definition.

How important is that information, and what tradeoffs are we willing to
make to protect it? Guix protects this information from passive
eavesdroppers but not an active MITM.

The real important thing is, what substitutes are you requesting? This
is based on your Guix code, and we do authenticate the server you
request that from (`guix pull`). The next step is to start using
code-signing there. This is a work in progress.

> If you believe the text is good as it is, please just ignore me and
> close the ticket.

Okay, closed. Please let us know if you think the text can be improved.

[Message part 3 (message/rfc822, inline)]

From: Damien Cassou <damien <at> cassou.me>
To: bug-guix <at> gnu.org
Subject: On the use of HTTPS for substitute server
Date: Tue, 04 Feb 2020 15:28:16 +0100

In the manual, section Package Management>Substitutes, I can read:

> Substitute URLs can be either HTTP or HTTPS. HTTPS is recommended
> because communications are encrypted; conversely, using HTTP makes all
> communications visible to an eavesdropper, who could use the information
> gathered to determine, for instance, whether your system has unpatched
> security vulnerabilities.

A few pages later, I read:

> When using HTTPS, the server’s X.509 certificate is _not_ validated
> (in other words, the server is not authenticated), contrary to what
> HTTPS clients such as Web browsers usually do.  This is because Guix
> authenticates substitute information itself, as explained above, which
> is what we care about (whereas X.509 certificates are about
> authenticating bindings between domain names and public keys.)

Doesn't the second paragraph contradict a bit the first? It seems to me
that not validating a server's certificate means the client is
vulnerable to a MITM attack where the attacker would know "whether your
system has unpatched security vulnerabilities".

-- 
Damien Cassou

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.