From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4ECBA1396D0 for ; Sun, 3 Sep 2017 18:01:06 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2955E1FC05F; Sun, 3 Sep 2017 18:01:02 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C2B231FC048 for ; Sun, 3 Sep 2017 18:01:01 +0000 (UTC) Received: from localhost (unknown [46.148.235.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bircoph) by smtp.gentoo.org (Postfix) with ESMTPSA id C9CEE34165C for ; Sun, 3 Sep 2017 18:00:59 +0000 (UTC) Date: Sun, 3 Sep 2017 21:00:19 +0300 From: Andrew Savchenko To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [PATCH 2/2] git-r3.eclass: Explicitly warn about unsecure protocols Message-Id: <20170903210019.7c3161ae152de85db4d94a54@gentoo.org> In-Reply-To: <1503669085.1016.4.camel@gentoo.org> References: <20170819082502.27716-1-mgorny@gentoo.org> <20170819082502.27716-2-mgorny@gentoo.org> <20170823114602.4b19ebe6b225f4a57af3448e@gentoo.org> <1503669085.1016.4.camel@gentoo.org> X-Mailer: Sylpheed 3.6.0 (GTK+ 2.24.30; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA512"; boundary="Signature=_Sun__3_Sep_2017_21_00_19_+0300_aNUYCtMWs29I9Aya" X-Archives-Salt: 95758363-3e51-41fd-8812-87ab39407e32 X-Archives-Hash: 235c596213578f5013adb17cc5abbfc5 --Signature=_Sun__3_Sep_2017_21_00_19_+0300_aNUYCtMWs29I9Aya Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, 25 Aug 2017 15:51:25 +0200 Micha=C5=82 G=C3=B3rny wrote: > W dniu =C5=9Bro, 23.08.2017 o godzinie 11=E2=88=B646=E2=80=89+0300, u=C5= =BCytkownik Andrew > Savchenko napisa=C5=82: > > On Sat, 19 Aug 2017 10:25:02 +0200 Micha=C5=82 G=C3=B3rny wrote: > > > Explicitly warn about any URI that uses an unsecure protocol (git, ht= tp) > > > even if it's a fallback URI. This is necessary because an attacker may > > > block HTTPS connections, effectively forcing the fallback to > > > the unsecure protocol. > >=20 > > [...] > > > + local r > > > + for r in "${repos[@]}"; do > > > + if [[ ${r} =3D=3D git:* || ${r} =3D=3D http:* ]]; then > > > + ewarn "git-r3: ${r%%:*} protocol in unsafe and may be subject to = MITM attacks" > > > + ewarn "(even if used only as fallback). Please use https instead." > > > + ewarn "[URI: ${r}]" > > > + fi > > > + done > > > + > >=20 > > Sigh... https also makes MITM attacks possible, especially if SSL > > or TLS < 1.2 is used or are allowed and protocol version downgrade > > attack may be performed. > >=20 > > Such messages create a false impression of a safety of https. > > Safety more or less can be gained by verifying GPG signatures and > > fingerprints of the upstream commits, if upstream supports this. Of > > course using https is better than using http or git, but better > > only by a bit. > >=20 >=20 > Yes, we can do a whole long debate about problems with HTTPS. Yes, we > can do an even longer debate about all those fancy solutions that solve > all the problems in the world, except they're completely not applicable > in practice. People will become a lot wiser and/or depressed. >=20 > However, I'd rather do what I can practically do to make a real > difference. And I believe that making things a little safer is better > than claiming that nothing is safe, so let's just abandon all hope > and continue using completely unsecured protocols. I agree that better to have some improvement rather than nothing. > Nevertheless, I've changed the wording a bit to avoid giving this 'false > impression' that https is entirely secure. Thanks, that was my main intent: to have correct docs. Best regards, Andrew Savchenko --Signature=_Sun__3_Sep_2017_21_00_19_+0300_aNUYCtMWs29I9Aya Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE63ZIHsdeM+1XgNer9lNaM7oe5I0FAlmsQzQACgkQ9lNaM7oe 5I3QCxAApHHrkq7zQZWCHuYlyyuaEMZIRpTh4kTWPBTYtcu224CdX/glu3MWIa6A o7QnrhMK95jiUAlKGTlMFdmKcm12lLLclJ8K6+gx2liICpd1w0SnT+zTcd4kVK5J JfLiT0U4QkriMiX+DIvDZOLcHZgC2QKZFqnkFJTsbEaqeQnEHkqzpjbqF1YZLx0x OvmvECvH+aNOHeGDbQIC0qYWcXZL4hbTTLULcJY6b0GmoA5btsrmuk1fShQNzPb6 ZcxfPk8s1LF+oMwECyyj2p1TQ/w4tFAW0pBK6OVSY/9Bxrn3uUXp0B8uS5KO2f/B L4n0KeYKMX9PysO94/5O4vKoH1UO046CMBzAF9rzb1dh7ZMPVBi4jrEmQrgJDQBE d4H8xSSnL9S6uD7tBVEFqsz7PsI8q1/1v7H7DAWKS6lmqS1Q5LJOQYDFWtldsNn5 RSjc40wcw9oPw0elVJnHyu/WjHRk+u3RawYWhupZaNFPNwQ2RBZazsxIh/eQAY6b u7Uc8leWTgVtU7RjQayykJ8W7W+s2/1cyqCIBNQ7am5azZeyMqG3cKNWrhhHrIoy uIFp4329JFzdyi9njaSjaqcJBaN+Dc5JWF2EbfwQpZoBIFbQObwbmHBgTuYwZyxm /oLpDcnUR2MhxKy19vrQdVaCTcn/wMgdtzSAgFDZH8uC3Fos7Z4= =Zmgc -----END PGP SIGNATURE----- --Signature=_Sun__3_Sep_2017_21_00_19_+0300_aNUYCtMWs29I9Aya--