Re: Cert validation in pkg_add

To: Joerg Sonnenberger <joerg%bec.de@localhost>
Subject: Re: Cert validation in pkg_add
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Sun, 17 Dec 2023 22:38:38 +0000

> Date: Sun, 17 Dec 2023 23:01:23 +0100
> From: Joerg Sonnenberger <joerg%bec.de@localhost>
> 
> On Saturday, December 9, 2023 5:56:03 AM CET Taylor R Campbell wrote:
> > tl;dr: I propose to enable cert validation in pkg_add by default.
> 
> The only reason I never committed the patch to enable certificate validation
> is the #$%#@$^@ situation on all NetBSD releases.

Fortunately we have now sorted that out for 10.

>                                                   I would even go a step
> further and not have an option to disable it or at most an environment
> variable for libfetch. That dramatically simplifies the code as well.
> 
> It should be noted that a very common setup nowaday is to just redirect
> all http traffic to https anyway, so this has a somewhat broader impact than
> might be obvious.

Note: The change I proposed only affects the path where you
specifically request `pkg_add https://...' or set
`PKG_PATH=https://...'.  It does not affect the case where a user
specifies http and the server redirects that to https.

This way it won't break existing setups that use PKG_PATH=http://...
and have no trust anchors, even if the http URL is a redirect to
https.

On the one hand, not validating https on redirect from http -- and,
conversely, _refusing_ https to http redirect -- may be surprising.

On the other hand:

- If user-specified http is redirected to server-specified https, the
  adversary has already had the opportunity to intercept http by the
  time pkg_add could begin to act on the redirect.

  So pkg_add can't guarantee authentication if you use http URLs,
  whether or not it validates certs on redirect to https.  But
  validating certs in this case might break existing setups.

- pkg_add automates the installation (and, via INSTALL scripts,
  execution) of software from the remote host the moment you run it.

  So if user-specified https is redirected to server-specified http,
  there's no opportunity like an interactive web browser provides for
  a user to check for `https' or a lock icon in the address bar after
  a page is done loading, but before entering their social security
  bank account password's maiden name.

  Thus, if pkg_add were to quietly honor https to http redirect, it
  would quietly render users more vulnerable than an interactive web
  browser would.

So I think it is reasonable for the contract to be: If you specify
https://... URLs, then pkg_add guarantees it only installs packages
retrieved over authenticated transport.  (Otherwise, no change.)

Follow-Ups:
- Re: Cert validation in pkg_add
  - From: Greg Troxel
- Re: Cert validation in pkg_add
  - From: Joerg Sonnenberger

References:
- Re: Cert validation in pkg_add
  - From: Joerg Sonnenberger

Prev by Date: Re: Cert validation in pkg_add
Next by Date: Re: Cert validation in pkg_add
Previous by Thread: Re: Cert validation in pkg_add
Next by Thread: Re: Cert validation in pkg_add
Indexes:

Home | Main Index | Thread Index | Old Index