Re: people.debian.org will move from ravel to paradis and become HTTPS only

To: debian-devel@lists.debian.org
Subject: Re: people.debian.org will move from ravel to paradis and become HTTPS only
From: Tollef Fog Heen <tfheen@err.no>
Date: Sun, 20 Jul 2014 13:43:45 +0200
Message-id: <[🔎] m2pph0qmq6.fsf@rahvafeir.err.no>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 2398517.9WCPudKZLW@grep.be> (Wouter Verhelst's message of "Sun, 20 Jul 2014 11:07:16 +0200")
References: <20140713201310.GA27144@ftbfs.de> <[🔎] 1537194.az5tucaBzH@grep.be> <[🔎] 87wqb8edck.fsf@xoog.err.no> <[🔎] 2398517.9WCPudKZLW@grep.be>

]] Wouter Verhelst 

> AFAIK, people.debian.org does not allow running server-side HTTP scripts
> (and even if it does, I think that's a bad idea and we should disable it
> ASAP). As such, people.debian.org is not an interface for reading mail
> in your browser over HTTP, or doing IRC, or whatnot. So that argument
> simply doesn't apply.

There is no need for server-side HTTP scripts to run IRC in your
browser.  http://glowing-bear.github.io/glowing-bear/ talks to weechat,
for instance.

> Instead, people.d.o is a place to allow downloads of files. Period.

That's not the only thing people use it for, though.  They use it for
hosting web pages, their blog and so on.

> > > Additionally, since debian.org uses DNSSEC, if you can somehow MITM
> > > people.debian.org then due to DANE you can MITM it for HTTP as well as
> > > HTTPS, so forcing HTTPS really doesn't gain you much.
> > 
> > Not many HTTP clients support DANE, unfortunately, and MITM-ing
> > DNSSEC-secured domains is a bit more effort than just MITM-ing a
> > plaintext HTTP connection.
> 
> If you can MITM people.debian.org, you've already MITM'ed a
> DNSSEC-secured domain.

I see there's some confusion here.  I'm talking about a TCP level MITM
attack, not a DNS hijacking attack, which seems to be what you're
talking about.  Hijacking TCP is trivial and happens (intentionally and
by mistake) very, very often.

> > > > > Is there an actual attack vector that we're trying to protect against
> > > > > which requires us to disable plain HTTP, or is this just yet another
> > > > > instance of the bogus "HTTP is obsolete" idea?
> > > > 
> > > > There are lots of attack vectors.  It's not a response to a single
> > > > attack being exploited in the wild.
> > > 
> > > So name one?
> > 
> > To pick a random example off a web page:
> > http://ghantoos.org/2012/10/21/cocktail-of-pxe-debian-preseed-ipmi-puppet/
> > 
> >     wget http://people.debian.org/~dannf/add-firmware-to/add-firmware-to
> >     sed -i 's/lenny/wheezy/' add-firmware-to
> >     chmod +x add-firmware-to
> >     ./add-firmware-to initrd.gz initrd.nonfree.gz wheezy
> 
> The problem here is not the idea that someone might MITM
> people.debian.org and provide something useless. The problem is a
> culture of people who run random code off the web without checking what
> it does.

That is also a problem, yes.  Using HTTP makes it worse than if it was
using HTTPS.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to:

References:
- Re: people.debian.org will move from ravel to paradis and become HTTPS only
  - From: Wouter Verhelst <w@uter.be>
- Re: people.debian.org will move from ravel to paradis and become HTTPS only
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: people.debian.org will move from ravel to paradis and become HTTPS only
  - From: Wouter Verhelst <w@uter.be>

Prev by Date: Re: people.debian.org will move from ravel to paradis and become HTTPS only
Next by Date: Re: people.debian.org will move from ravel to paradis and become HTTPS only
Previous by thread: Re: people.debian.org will move from ravel to paradis and become HTTPS only
Next by thread: Re: people.debian.org will move from ravel to paradis and become HTTPS only
Index(es):
- Date
- Thread