tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Cert validation in pkg_add
> Date: Sun, 17 Dec 2023 23:01:23 +0100
> From: Joerg Sonnenberger <joerg%bec.de@localhost>
>
> On Saturday, December 9, 2023 5:56:03 AM CET Taylor R Campbell wrote:
> > tl;dr: I propose to enable cert validation in pkg_add by default.
>
> The only reason I never committed the patch to enable certificate validation
> is the #$%#@$^@ situation on all NetBSD releases.
Fortunately we have now sorted that out for 10.
> I would even go a step
> further and not have an option to disable it or at most an environment
> variable for libfetch. That dramatically simplifies the code as well.
>
> It should be noted that a very common setup nowaday is to just redirect
> all http traffic to https anyway, so this has a somewhat broader impact than
> might be obvious.
Note: The change I proposed only affects the path where you
specifically request `pkg_add https://...' or set
`PKG_PATH=https://...'. It does not affect the case where a user
specifies http and the server redirects that to https.
This way it won't break existing setups that use PKG_PATH=http://...
and have no trust anchors, even if the http URL is a redirect to
https.
On the one hand, not validating https on redirect from http -- and,
conversely, _refusing_ https to http redirect -- may be surprising.
On the other hand:
- If user-specified http is redirected to server-specified https, the
adversary has already had the opportunity to intercept http by the
time pkg_add could begin to act on the redirect.
So pkg_add can't guarantee authentication if you use http URLs,
whether or not it validates certs on redirect to https. But
validating certs in this case might break existing setups.
- pkg_add automates the installation (and, via INSTALL scripts,
execution) of software from the remote host the moment you run it.
So if user-specified https is redirected to server-specified http,
there's no opportunity like an interactive web browser provides for
a user to check for `https' or a lock icon in the address bar after
a page is done loading, but before entering their social security
bank account password's maiden name.
Thus, if pkg_add were to quietly honor https to http redirect, it
would quietly render users more vulnerable than an interactive web
browser would.
So I think it is reasonable for the contract to be: If you specify
https://... URLs, then pkg_add guarantees it only installs packages
retrieved over authenticated transport. (Otherwise, no change.)
Home |
Main Index |
Thread Index |
Old Index