[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: people.debian.org will move from ravel to paradis and become HTTPS only

Op zondag 20 juli 2014 08:47:07 schreef Tollef Fog Heen:
> ]] Wouter Verhelst
> > Op zaterdag 19 juli 2014 22:54:47 schreef u:
> > > ]] Wouter Verhelst
> > > 
> > > > Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas:
> > > > > Furthermore, we will change the people.debian.org web-service such
> > > > > that
> > > > > only HTTPS connections will be supported (unencrypted requests will
> > > > > be
> > > > > redirected).
> > > > 
> > > > Why?
> > > 
> > > Because the world is a nastier place than it used to be.  It's like the
> > > move from telnet to SSH many moons ago, all protocols ought to be
> > > encrypted today.
> > 
> > Well, I disagree with that.
> > 
> > With telnet vs SSH, the move was necessary because telnet would send
> > passwords in the clear, and because telnet is mostly a control interface
> > rather than anything else.
> > 
> > With HTTP vs HTTPS, the move can be necessary (many control interfaces
> > these days are written in HTTP server-side code, and then using plain
> > HTTP is a bad idea), but I doubt the majority of uses for
> > people.debian.org is anything but downloading static files these days.
> I don't see a big difference between reading mail in pine, which people
> did using telnet and reading mail in their browser over HTTP.  Or IRC
> and twitteresque services.

Oh sure, I agree that in those cases it makes perfect sense to disable
plain HTTP. But that's not what this is.

AFAIK, people.debian.org does not allow running server-side HTTP scripts
(and even if it does, I think that's a bad idea and we should disable it
ASAP). As such, people.debian.org is not an interface for reading mail
in your browser over HTTP, or doing IRC, or whatnot. So that argument
simply doesn't apply.

Instead, people.d.o is a place to allow downloads of files. Period.
Sometimes it should be possible to verify that these files have not been
tampered with. With the state of the CA cartel these days, I have little
trust in the strength of HTTPS as a verification mechanism, and so I
wouldn't trust a file to be correct even if it came through an HTTPS
connection that validates. Instead, I would only trust such a file if it
came with a GPG signature from a key that is in the Debian keyring.

> (I wouldn't call things like mail clients and social media control
> interfaces either.)

Well, I would, but that's just semantics, and so has little relevance in
this discussion.

> > It's good to make HTTPS the default, which if you must you can do
> > (amongst other things) by way of HSTS. However, I fail to see why we
> > should make HTTP impossible for those cases where it's needed.
> Would you be happy with
> http://people.debian.org/THIS-IS-INSECURE/YES-I-WANT-TO-PROCEED/~user/file
> as the URLs?  We could do something like that, where if you absolutely
> must use HTTP, you can, but it's more annoying and tedious than the
> better alternative.

I suppose that could work, although it might make HSTS fail (but I must
admit I don't understand HSTS in detail).

> > Additionally, since debian.org uses DNSSEC, if you can somehow MITM
> > people.debian.org then due to DANE you can MITM it for HTTP as well as
> > HTTPS, so forcing HTTPS really doesn't gain you much.
> Not many HTTP clients support DANE, unfortunately, and MITM-ing
> DNSSEC-secured domains is a bit more effort than just MITM-ing a
> plaintext HTTP connection.

If you can MITM people.debian.org, you've already MITM'ed a
DNSSEC-secured domain.

> > > > Is there an actual attack vector that we're trying to protect against
> > > > which requires us to disable plain HTTP, or is this just yet another
> > > > instance of the bogus "HTTP is obsolete" idea?
> > > 
> > > There are lots of attack vectors.  It's not a response to a single
> > > attack being exploited in the wild.
> > 
> > So name one?
> To pick a random example off a web page:
> http://ghantoos.org/2012/10/21/cocktail-of-pxe-debian-preseed-ipmi-puppet/
>     wget http://people.debian.org/~dannf/add-firmware-to/add-firmware-to
>     sed -i 's/lenny/wheezy/' add-firmware-to
>     chmod +x add-firmware-to
>     ./add-firmware-to initrd.gz initrd.nonfree.gz wheezy

The problem here is not the idea that someone might MITM
people.debian.org and provide something useless. The problem is a
culture of people who run random code off the web without checking what
it does. That ghantoos.org thing might refer to people.deb1an.org
instead which contains nothing but malware; if you download and run code
off the internet without checking it, you've already lost. This isn't
very special in that regard, and that's not something you can fix by
forcing HTTPS on people.

Even ignoring that, assuming people trust that code off
people.debian.org is "safe", if they run a validating DNS resolver they
don't run more of a risk than if they use only HTTPS.

Again, I support enabling HTTPS, and I support making it the default
if possible. I just don't think disabling plain HTTP is a good idea.

It is easy to love a country that is famous for chocolate and beer

  -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26

Reply to: