Re: people.debian.org will move from ravel to paradis and become HTTPS only
]] Wouter Verhelst
> Op zaterdag 19 juli 2014 22:54:47 schreef u:
> > ]] Wouter Verhelst
> > > Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas:
> > > > Furthermore, we will change the people.debian.org web-service such that
> > > > only HTTPS connections will be supported (unencrypted requests will be
> > > > redirected).
> > >
> > > Why?
> >
> > Because the world is a nastier place than it used to be. It's like the
> > move from telnet to SSH many moons ago, all protocols ought to be
> > encrypted today.
>
> Well, I disagree with that.
>
> With telnet vs SSH, the move was necessary because telnet would send
> passwords in the clear, and because telnet is mostly a control interface
> rather than anything else.
>
> With HTTP vs HTTPS, the move can be necessary (many control interfaces
> these days are written in HTTP server-side code, and then using plain
> HTTP is a bad idea), but I doubt the majority of uses for
> people.debian.org is anything but downloading static files these days.
I don't see a big difference between reading mail in pine, which people
did using telnet and reading mail in their browser over HTTP. Or IRC
and twitteresque services.
(I wouldn't call things like mail clients and social media control
interfaces either.)
> It's good to make HTTPS the default, which if you must you can do
> (amongst other things) by way of HSTS. However, I fail to see why we
> should make HTTP impossible for those cases where it's needed.
Would you be happy with
http://people.debian.org/THIS-IS-INSECURE/YES-I-WANT-TO-PROCEED/~user/file
as the URLs? We could do something like that, where if you absolutely
must use HTTP, you can, but it's more annoying and tedious than the
better alternative.
> > > Please note that there remain cases where accessing HTTPS is difficult
> > > or impossible. One of these (but by no means the only one) is the
> > > current release of debian-installer: the wget implementation inside
> > > stable d-i does not support https, so downloading files from people.d.o
> > > (e.g., for preseeding) will become impossible if this is implemented as
> > > stated.
> >
> > Hopefully you're not preseeding from a HTTP source, since that means
> > you're quite vulnerable to trivial MITM attacks
>
> True, but debian-installer simply does not support any signed/encrypted
> preseeding.
Nod; as an aside, having the ability to do preseed=http(s)://url/
preseed_sha256=$sha256 would be pretty useful.
> Additionally, since debian.org uses DNSSEC, if you can somehow MITM
> people.debian.org then due to DANE you can MITM it for HTTP as well as
> HTTPS, so forcing HTTPS really doesn't gain you much.
Not many HTTP clients support DANE, unfortunately, and MITM-ing
DNSSEC-secured domains is a bit more effort than just MITM-ing a
plaintext HTTP connection.
> > > Is there an actual attack vector that we're trying to protect against
> > > which requires us to disable plain HTTP, or is this just yet another
> > > instance of the bogus "HTTP is obsolete" idea?
> >
> > There are lots of attack vectors. It's not a response to a single
> > attack being exploited in the wild.
>
> So name one?
To pick a random example off a web page:
http://ghantoos.org/2012/10/21/cocktail-of-pxe-debian-preseed-ipmi-puppet/
wget http://people.debian.org/~dannf/add-firmware-to/add-firmware-to
sed -i 's/lenny/wheezy/' add-firmware-to
chmod +x add-firmware-to
./add-firmware-to initrd.gz initrd.nonfree.gz wheezy
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: