Re: people.debian.org will move from ravel to paradis and become HTTPS only
]] Wouter Verhelst
> AFAIK, people.debian.org does not allow running server-side HTTP scripts
> (and even if it does, I think that's a bad idea and we should disable it
> ASAP). As such, people.debian.org is not an interface for reading mail
> in your browser over HTTP, or doing IRC, or whatnot. So that argument
> simply doesn't apply.
There is no need for server-side HTTP scripts to run IRC in your
browser. http://glowing-bear.github.io/glowing-bear/ talks to weechat,
for instance.
> Instead, people.d.o is a place to allow downloads of files. Period.
That's not the only thing people use it for, though. They use it for
hosting web pages, their blog and so on.
> > > Additionally, since debian.org uses DNSSEC, if you can somehow MITM
> > > people.debian.org then due to DANE you can MITM it for HTTP as well as
> > > HTTPS, so forcing HTTPS really doesn't gain you much.
> >
> > Not many HTTP clients support DANE, unfortunately, and MITM-ing
> > DNSSEC-secured domains is a bit more effort than just MITM-ing a
> > plaintext HTTP connection.
>
> If you can MITM people.debian.org, you've already MITM'ed a
> DNSSEC-secured domain.
I see there's some confusion here. I'm talking about a TCP level MITM
attack, not a DNS hijacking attack, which seems to be what you're
talking about. Hijacking TCP is trivial and happens (intentionally and
by mistake) very, very often.
> > > > > Is there an actual attack vector that we're trying to protect against
> > > > > which requires us to disable plain HTTP, or is this just yet another
> > > > > instance of the bogus "HTTP is obsolete" idea?
> > > >
> > > > There are lots of attack vectors. It's not a response to a single
> > > > attack being exploited in the wild.
> > >
> > > So name one?
> >
> > To pick a random example off a web page:
> > http://ghantoos.org/2012/10/21/cocktail-of-pxe-debian-preseed-ipmi-puppet/
> >
> > wget http://people.debian.org/~dannf/add-firmware-to/add-firmware-to
> > sed -i 's/lenny/wheezy/' add-firmware-to
> > chmod +x add-firmware-to
> > ./add-firmware-to initrd.gz initrd.nonfree.gz wheezy
>
> The problem here is not the idea that someone might MITM
> people.debian.org and provide something useless. The problem is a
> culture of people who run random code off the web without checking what
> it does.
That is also a problem, yes. Using HTTP makes it worse than if it was
using HTTPS.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: