[gentoo-dev] [PATCH 1/2] git-r3.eclass: Update docs to discourage unsafe protocols

[gentoo-dev] [PATCH 1/2] git-r3.eclass: Update docs to discourage unsafe protocols

[Michał Górny]

---
 eclass/git-r3.eclass | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/eclass/git-r3.eclass b/eclass/git-r3.eclass
index bc7d4d920299..42b586811368 100644
--- a/eclass/git-r3.eclass
+++ b/eclass/git-r3.eclass
@@ -105,10 +105,14 @@ fi
 # @ECLASS-VARIABLE: EGIT_REPO_URI
 # @REQUIRED
 # @DESCRIPTION:
-# URIs to the repository, e.g. git://foo, https://foo. If multiple URIs
-# are provided, the eclass will consider them as fallback URIs to try
-# if the first URI does not work. For supported URI syntaxes, read up
-# the manpage for git-clone(1).
+# URIs to the repository, e.g. https://foo. If multiple URIs are
+# provided, the eclass will consider the remaining URIs as fallbacks
+# to try if the first URI does not work. For supported URI syntaxes,
+# read up the manpage for git-clone(1).
+#
+# URIs should be using https:// whenever possible. http:// and git://
+# URIs are unsafe and their use (even if only as a fallback) makes
+# MITM attacks possible.
 #
 # It can be overriden via env using ${PN}_LIVE_REPO variable.
 #
@@ -116,7 +120,7 @@ fi
 #
 # Example:
 # @CODE
-# EGIT_REPO_URI="git://a/b.git https://c/d.git"
+# EGIT_REPO_URI="https://a/b.git https://c/d.git"
 # @CODE
 
 # @ECLASS-VARIABLE: EVCS_OFFLINE
-- 
2.14.1

[gentoo-dev] [PATCH 2/2] git-r3.eclass: Explicitly warn about unsecure protocols

[Michał Górny]

Explicitly warn about any URI that uses an unsecure protocol (git, http)
even if it's a fallback URI. This is necessary because an attacker may
block HTTPS connections, effectively forcing the fallback to
the unsecure protocol.
---
 eclass/git-r3.eclass | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/eclass/git-r3.eclass b/eclass/git-r3.eclass
index 42b586811368..1eb0baedc67f 100644
--- a/eclass/git-r3.eclass
+++ b/eclass/git-r3.eclass
@@ -570,6 +570,15 @@ git-r3_fetch() {
 
 	[[ ${repos[@]} ]] || die "No URI provided and EGIT_REPO_URI unset"
 
+	local r
+	for r in "${repos[@]}"; do
+		if [[ ${r} == git:* || ${r} == http:* ]]; then
+			ewarn "git-r3: ${r%%:*} protocol in unsafe and may be subject to MITM attacks"
+			ewarn "(even if used only as fallback). Please use https instead."
+			ewarn "[URI: ${r}]"
+		fi
+	done
+
 	local -x GIT_DIR
 	_git-r3_set_gitdir "${repos[0]}"
 
@@ -582,7 +591,7 @@ git-r3_fetch() {
 	fi
 
 	# try to fetch from the remote
-	local r success saved_umask
+	local success saved_umask
 	if [[ ${EVCS_UMASK} ]]; then
 		saved_umask=$(umask)
 		umask "${EVCS_UMASK}" || die "Bad options to umask: ${EVCS_UMASK}"
-- 
2.14.1

[gentoo-dev] Re: [PATCH 2/2] git-r3.eclass: Explicitly warn about unsecure protocols

[Duncan]

Michał Górny posted on Sat, 19 Aug 2017 10:25:02 +0200 as excerpted:

> Explicitly warn about any URI that uses an unsecure protocol (git, http)
> even if it's a fallback URI. This is necessary because an attacker may
> block HTTPS connections, effectively forcing the fallback to
> the unsecure protocol.

Thanks for this pair of patches.  One minor correction, below.

>  eclass/git-r3.eclass | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/eclass/git-r3.eclass b/eclass/git-r3.eclass
> index 42b586811368..1eb0baedc67f 100644
> --- a/eclass/git-r3.eclass
> +++ b/eclass/git-r3.eclass
> @@ -570,6 +570,15 @@ git-r3_fetch() {
>  
>  	[[ ${repos[@]} ]] || die "No URI provided and EGIT_REPO_URI unset"
>  
> +	local r
> +	for r in "${repos[@]}"; do
> +		if [[ ${r} == git:* || ${r} == http:* ]]; then
> +			ewarn "git-r3: ${r%%:*} protocol in unsafe and may be subject to MITM attacks"

s/in unsafe/is unsafe/

(Tho I can imagine a point at which "unsafe" becomes a list/array, defined
at the top of the function along with the other defines, or in a new git-r3_check_unsafe
function, at which point "in unsafe" could make sense.  But that's not the structure here.)

> +			ewarn "(even if used only as fallback). Please use https instead."
> +			ewarn "[URI: ${r}]"
> +		fi
> +	done
> +
>  	local -x GIT_DIR
>  	_git-r3_set_gitdir "${repos[0]}"
>  
> @@ -582,7 +591,7 @@ git-r3_fetch() {
>  	fi
>  
>  	# try to fetch from the remote
> -	local r success saved_umask
> +	local success saved_umask
>  	if [[ ${EVCS_UMASK} ]]; then
>  		saved_umask=$(umask)
>  		umask "${EVCS_UMASK}" || die "Bad options to umask: ${EVCS_UMASK}"

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-dev] Re: [PATCH 2/2] git-r3.eclass: Explicitly warn about unsecure protocols

[Michał Górny]

W dniu sob, 19.08.2017 o godzinie 22∶01 +0000, użytkownik Duncan
napisał:
> Michał Górny posted on Sat, 19 Aug 2017 10:25:02 +0200 as excerpted:
> 
> > Explicitly warn about any URI that uses an unsecure protocol (git, http)
> > even if it's a fallback URI. This is necessary because an attacker may
> > block HTTPS connections, effectively forcing the fallback to
> > the unsecure protocol.
> 
> Thanks for this pair of patches.  One minor correction, below.
> 
> >  eclass/git-r3.eclass | 11 ++++++++++-
> >  1 file changed, 10 insertions(+), 1 deletion(-)
> > 
> > diff --git a/eclass/git-r3.eclass b/eclass/git-r3.eclass
> > index 42b586811368..1eb0baedc67f 100644
> > --- a/eclass/git-r3.eclass
> > +++ b/eclass/git-r3.eclass
> > @@ -570,6 +570,15 @@ git-r3_fetch() {
> >  
> >  	[[ ${repos[@]} ]] || die "No URI provided and EGIT_REPO_URI unset"
> >  
> > +	local r
> > +	for r in "${repos[@]}"; do
> > +		if [[ ${r} == git:* || ${r} == http:* ]]; then
> > +			ewarn "git-r3: ${r%%:*} protocol in unsafe and may be subject to MITM attacks"
> 
> s/in unsafe/is unsafe/
> 

Thanks, fixed locally.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [PATCH 1/2] git-r3.eclass: Update docs to discourage unsafe protocols

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 1275 bytes --]

On Sat, Aug 19, 2017 at 10:25:01AM +0200, Michał Górny wrote:
> ---
>  eclass/git-r3.eclass | 14 +++++++++-----
>  1 file changed, 9 insertions(+), 5 deletions(-)
> 
> diff --git a/eclass/git-r3.eclass b/eclass/git-r3.eclass
> index bc7d4d920299..42b586811368 100644
> --- a/eclass/git-r3.eclass
> +++ b/eclass/git-r3.eclass
> @@ -105,10 +105,14 @@ fi
>  # @ECLASS-VARIABLE: EGIT_REPO_URI
>  # @REQUIRED
>  # @DESCRIPTION:
> -# URIs to the repository, e.g. git://foo, https://foo. If multiple URIs
> -# are provided, the eclass will consider them as fallback URIs to try
> -# if the first URI does not work. For supported URI syntaxes, read up
> -# the manpage for git-clone(1).
> +# URIs to the repository, e.g. https://foo. If multiple URIs are
> +# provided, the eclass will consider the remaining URIs as fallbacks
> +# to try if the first URI does not work. For supported URI syntaxes,
> +# read up the manpage for git-clone(1).

s/read up/read/

> +# URIs should be using https:// whenever possible. http:// and git://
> +# URIs are unsafe and their use (even if only as a fallback) makes
> +# MITM attacks possible.
>  #
>  # It can be overriden via env using ${PN}_LIVE_REPO variable.

s/overriden/overridden/

Thanks,

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-dev] [PATCH 1/2] git-r3.eclass: Update docs to discourage unsafe protocols

[Michał Górny]

W dniu nie, 20.08.2017 o godzinie 13∶05 -0500, użytkownik William Hubbs
napisał:
> On Sat, Aug 19, 2017 at 10:25:01AM +0200, Michał Górny wrote:
> > ---
> >  eclass/git-r3.eclass | 14 +++++++++-----
> >  1 file changed, 9 insertions(+), 5 deletions(-)
> > 
> > diff --git a/eclass/git-r3.eclass b/eclass/git-r3.eclass
> > index bc7d4d920299..42b586811368 100644
> > --- a/eclass/git-r3.eclass
> > +++ b/eclass/git-r3.eclass
> > @@ -105,10 +105,14 @@ fi
> >  # @ECLASS-VARIABLE: EGIT_REPO_URI
> >  # @REQUIRED
> >  # @DESCRIPTION:
> > -# URIs to the repository, e.g. git://foo, https://foo. If multiple URIs
> > -# are provided, the eclass will consider them as fallback URIs to try
> > -# if the first URI does not work. For supported URI syntaxes, read up
> > -# the manpage for git-clone(1).
> > +# URIs to the repository, e.g. https://foo. If multiple URIs are
> > +# provided, the eclass will consider the remaining URIs as fallbacks
> > +# to try if the first URI does not work. For supported URI syntaxes,
> > +# read up the manpage for git-clone(1).
> 
> s/read up/read/
> 
> > +# URIs should be using https:// whenever possible. http:// and git://
> > +# URIs are unsafe and their use (even if only as a fallback) makes
> > +# MITM attacks possible.
> >  #
> >  # It can be overriden via env using ${PN}_LIVE_REPO variable.
> 
> s/overriden/overridden/
> 

Fixed, thanks.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [PATCH 2/2] git-r3.eclass: Explicitly warn about unsecure protocols

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 1094 bytes --]

On Sat, 19 Aug 2017 10:25:02 +0200 Michał Górny wrote:
> Explicitly warn about any URI that uses an unsecure protocol (git, http)
> even if it's a fallback URI. This is necessary because an attacker may
> block HTTPS connections, effectively forcing the fallback to
> the unsecure protocol.
[...]
> +	local r
> +	for r in "${repos[@]}"; do
> +		if [[ ${r} == git:* || ${r} == http:* ]]; then
> +			ewarn "git-r3: ${r%%:*} protocol in unsafe and may be subject to MITM attacks"
> +			ewarn "(even if used only as fallback). Please use https instead."
> +			ewarn "[URI: ${r}]"
> +		fi
> +	done
> +

Sigh... https also makes MITM attacks possible, especially if SSL
or TLS < 1.2 is used or are allowed and protocol version downgrade
attack may be performed.

Such messages create a false impression of a safety of https.
Safety more or less can be gained by verifying GPG signatures and
fingerprints of the upstream commits, if upstream supports this. Of
course using https is better than using http or git, but better
only by a bit.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] [PATCH 2/2] git-r3.eclass: Explicitly warn about unsecure protocols

[Michał Górny]

W dniu śro, 23.08.2017 o godzinie 11∶46 +0300, użytkownik Andrew
Savchenko napisał:
> On Sat, 19 Aug 2017 10:25:02 +0200 Michał Górny wrote:
> > Explicitly warn about any URI that uses an unsecure protocol (git, http)
> > even if it's a fallback URI. This is necessary because an attacker may
> > block HTTPS connections, effectively forcing the fallback to
> > the unsecure protocol.
> 
> [...]
> > +	local r
> > +	for r in "${repos[@]}"; do
> > +		if [[ ${r} == git:* || ${r} == http:* ]]; then
> > +			ewarn "git-r3: ${r%%:*} protocol in unsafe and may be subject to MITM attacks"
> > +			ewarn "(even if used only as fallback). Please use https instead."
> > +			ewarn "[URI: ${r}]"
> > +		fi
> > +	done
> > +
> 
> Sigh... https also makes MITM attacks possible, especially if SSL
> or TLS < 1.2 is used or are allowed and protocol version downgrade
> attack may be performed.
> 
> Such messages create a false impression of a safety of https.
> Safety more or less can be gained by verifying GPG signatures and
> fingerprints of the upstream commits, if upstream supports this. Of
> course using https is better than using http or git, but better
> only by a bit.
> 

Yes, we can do a whole long debate about problems with HTTPS. Yes, we
can do an even longer debate about all those fancy solutions that solve
all the problems in the world, except they're completely not applicable
in practice. People will become a lot wiser and/or depressed.

However, I'd rather do what I can practically do to make a real
difference. And I believe that making things a little safer is better
than claiming that nothing is safe, so let's just abandon all hope
and continue using completely unsecured protocols.

Nevertheless, I've changed the wording a bit to avoid giving this 'false
impression' that https is entirely secure.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [PATCH 1/2] git-r3.eclass: Update docs to discourage unsafe protocols

[Michał Górny]

W dniu sob, 19.08.2017 o godzinie 10∶25 +0200, użytkownik Michał Górny
napisał:
> ---
>  eclass/git-r3.eclass | 14 +++++++++-----
>  1 file changed, 9 insertions(+), 5 deletions(-)
> 
> diff --git a/eclass/git-r3.eclass b/eclass/git-r3.eclass
> index bc7d4d920299..42b586811368 100644
> --- a/eclass/git-r3.eclass
> +++ b/eclass/git-r3.eclass
> @@ -105,10 +105,14 @@ fi
>  # @ECLASS-VARIABLE: EGIT_REPO_URI
>  # @REQUIRED
>  # @DESCRIPTION:
> -# URIs to the repository, e.g. git://foo, https://foo. If multiple URIs
> -# are provided, the eclass will consider them as fallback URIs to try
> -# if the first URI does not work. For supported URI syntaxes, read up
> -# the manpage for git-clone(1).
> +# URIs to the repository, e.g. https://foo. If multiple URIs are
> +# provided, the eclass will consider the remaining URIs as fallbacks
> +# to try if the first URI does not work. For supported URI syntaxes,
> +# read up the manpage for git-clone(1).
> +#
> +# URIs should be using https:// whenever possible. http:// and git://
> +# URIs are unsafe and their use (even if only as a fallback) makes
> +# MITM attacks possible.
>  #
>  # It can be overriden via env using ${PN}_LIVE_REPO variable.
>  #
> @@ -116,7 +120,7 @@ fi
>  #
>  # Example:
>  # @CODE
> -# EGIT_REPO_URI="git://a/b.git https://c/d.git"
> +# EGIT_REPO_URI="https://a/b.git https://c/d.git"
>  # @CODE
>  
>  # @ECLASS-VARIABLE: EVCS_OFFLINE

Committed.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [PATCH 2/2] git-r3.eclass: Explicitly warn about unsecure protocols

[Hanno Böck]

[-- Attachment #1: Type: text/plain, Size: 528 bytes --]

On Wed, 23 Aug 2017 11:46:02 +0300
Andrew Savchenko <bircoph@gentoo.org> wrote:

> Sigh... https also makes MITM attacks possible, especially if SSL
> or TLS < 1.2 is used or are allowed and protocol version downgrade
> attack may be performed.

None of that is true.

You're probably referring to attacks that were specific to certain
browser weaknesses, but they're irrelevant for this use case.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] [PATCH 2/2] git-r3.eclass: Explicitly warn about unsecure protocols

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 2174 bytes --]

On Fri, 25 Aug 2017 15:51:25 +0200 Michał Górny wrote:
> W dniu śro, 23.08.2017 o godzinie 11∶46 +0300, użytkownik Andrew
> Savchenko napisał:
> > On Sat, 19 Aug 2017 10:25:02 +0200 Michał Górny wrote:
> > > Explicitly warn about any URI that uses an unsecure protocol (git, http)
> > > even if it's a fallback URI. This is necessary because an attacker may
> > > block HTTPS connections, effectively forcing the fallback to
> > > the unsecure protocol.
> > 
> > [...]
> > > +	local r
> > > +	for r in "${repos[@]}"; do
> > > +		if [[ ${r} == git:* || ${r} == http:* ]]; then
> > > +			ewarn "git-r3: ${r%%:*} protocol in unsafe and may be subject to MITM attacks"
> > > +			ewarn "(even if used only as fallback). Please use https instead."
> > > +			ewarn "[URI: ${r}]"
> > > +		fi
> > > +	done
> > > +
> > 
> > Sigh... https also makes MITM attacks possible, especially if SSL
> > or TLS < 1.2 is used or are allowed and protocol version downgrade
> > attack may be performed.
> > 
> > Such messages create a false impression of a safety of https.
> > Safety more or less can be gained by verifying GPG signatures and
> > fingerprints of the upstream commits, if upstream supports this. Of
> > course using https is better than using http or git, but better
> > only by a bit.
> > 
> 
> Yes, we can do a whole long debate about problems with HTTPS. Yes, we
> can do an even longer debate about all those fancy solutions that solve
> all the problems in the world, except they're completely not applicable
> in practice. People will become a lot wiser and/or depressed.
> 
> However, I'd rather do what I can practically do to make a real
> difference. And I believe that making things a little safer is better
> than claiming that nothing is safe, so let's just abandon all hope
> and continue using completely unsecured protocols.

I agree that better to have some improvement rather than nothing.

> Nevertheless, I've changed the wording a bit to avoid giving this 'false
> impression' that https is entirely secure.

Thanks, that was my main intent: to have correct docs.


Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] [PATCH 2/2] git-r3.eclass: Explicitly warn about unsecure protocols

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 1344 bytes --]

On Fri, 25 Aug 2017 17:46:01 +0200 Hanno Böck wrote:
> On Wed, 23 Aug 2017 11:46:02 +0300
> Andrew Savchenko <bircoph@gentoo.org> wrote:
> 
> > Sigh... https also makes MITM attacks possible, especially if SSL
> > or TLS < 1.2 is used or are allowed and protocol version downgrade
> > attack may be performed.
> 
> None of that is true.
> 
> You're probably referring to attacks that were specific to certain
> browser weaknesses, but they're irrelevant for this use case.
 
Some attack are indeed implementation specific, but there are
several which are design flaws, e.g.:

1) BEAST attack[1]: TLS 1.0 is vulnerable regrardless of
implementation (and all SSL versions).

2) BREACH attack[2]: basically this is a side-channel attack for
compressed traffic. All TLS versions are still vulnerable, the only
practical mitigation is to disable compression. It can be argued if
this is a vulnerability in TLS or TLS protocol has nothing to do
with side channels, but if a protocol is vulnerable to a
side-channel implementation-agnostic attack, it is considered by
many as a protocol misdesign.

Really SSL/TLS are very good examples of how crypto solutions should
not be designed and implemented.

[1] https://www.gracefulsecurity.com/what-is-beast/
[2] http://breachattack.com/

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]