bug#39419: closed (On the use of HTTPS for substitute server)

[GNU bug Tracking System]

Your message dated Wed, 5 Feb 2020 13:39:24 -0500
with message-id <address@hidden>
and subject line Re: bug#39419: On the use of HTTPS for substitute server
has caused the debbugs.gnu.org bug report #39419,
regarding On the use of HTTPS for substitute server
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden.)


-- 
39419: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=39419
GNU Bug Tracking System
Contact address@hidden with problems
> --- Begin Message ---
>
>
>
> Subject: 
>
> On the use of HTTPS for substitute server
>
>
>
>
> Date: 
>
> Tue, 04 Feb 2020 15:28:16 +0100
>
>
>
>
> In the manual, section Package Management>Substitutes, I can read:
>
> > Substitute URLs can be either HTTP or HTTPS. HTTPS is recommended
> > because communications are encrypted; conversely, using HTTP makes all
> > communications visible to an eavesdropper, who could use the information
> > gathered to determine, for instance, whether your system has unpatched
> > security vulnerabilities.
>
> A few pages later, I read:
>
> > When using HTTPS, the server’s X.509 certificate is _not_ validated
> > (in other words, the server is not authenticated), contrary to what
> > HTTPS clients such as Web browsers usually do.  This is because Guix
> > authenticates substitute information itself, as explained above, which
> > is what we care about (whereas X.509 certificates are about
> > authenticating bindings between domain names and public keys.)
>
> Doesn't the second paragraph contradict a bit the first? It seems to me
> that not validating a server's certificate means the client is
> vulnerable to a MITM attack where the attacker would know "whether your
> system has unpatched security vulnerabilities".
>
> -- 
> Damien Cassou
>
> "Success is the ability to go from one failure to another without
> losing enthusiasm." --Winston Churchill
>
>
>
> --- End Message ---
> --- Begin Message ---
>
>
>
> Subject: 
>
> Re: bug#39419: On the use of HTTPS for substitute server
>
>
>
>
> Date: 
>
> Wed, 5 Feb 2020 13:39:24 -0500
>
>
>
>
> On Wed, Feb 05, 2020 at 11:34:49AM +0100, Damien Cassou wrote:
> > "Leo Famulari" <address@hidden> writes:
> > > So, someone who could MITM as <https://ci.guix.gnu.org> could use their
> > > own X.509 certificate and pretend to be that server.
> > 
> > IIUC, you agree with me that an attacker can't change the content of
> > packages but can inspect what a user installs. This seems to contradict
> > this paragraph:
> > 
> > > HTTPS is recommended because communications are encrypted; conversely,
> > > using HTTP makes all communications visible to an eavesdropper, who
> > > could use the information gathered to determine, for instance, whether
> > > your system has unpatched security vulnerabilities.
>
> It is somewhat contradictory.
>
> The server that sends your substitutes knows what substitutes you
> request, by definition.
>
> How important is that information, and what tradeoffs are we willing to
> make to protect it? Guix protects this information from passive
> eavesdroppers but not an active MITM.
>
> The real important thing is, what substitutes are you requesting? This
> is based on your Guix code, and we do authenticate the server you
> request that from (`guix pull`). The next step is to start using
> code-signing there. This is a work in progress.
>
> > If you believe the text is good as it is, please just ignore me and
> > close the ticket.
>
> Okay, closed. Please let us know if you think the text can be improved.
>
>
> --- End Message ---