bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#39419: On the use of HTTPS for substitute server

From: Leo Famulari
Subject: bug#39419: On the use of HTTPS for substitute server
Date: Tue, 04 Feb 2020 18:32:29 -0500
User-agent: Cyrus-JMAP/3.1.7-802-g7a41c81-fmstable-20200203v1 
On Tue, Feb 4, 2020, at 09:28, Damien Cassou wrote:
> In the manual, section Package Management>Substitutes, I can read:
> 
> > Substitute URLs can be either HTTP or HTTPS. HTTPS is recommended
> > because communications are encrypted; conversely, using HTTP makes all
> > communications visible to an eavesdropper, who could use the information
> > gathered to determine, for instance, whether your system has unpatched
> > security vulnerabilities.
> 
> A few pages later, I read:
> 
> > When using HTTPS, the server’s X.509 certificate is _not_ validated
> > (in other words, the server is not authenticated), contrary to what
> > HTTPS clients such as Web browsers usually do.  This is because Guix
> > authenticates substitute information itself, as explained above, which
> > is what we care about (whereas X.509 certificates are about
> > authenticating bindings between domain names and public keys.)
> 
> Doesn't the second paragraph contradict a bit the first? It seems to me
> that not validating a server's certificate means the client is
> vulnerable to a MITM attack where the attacker would know "whether your
> system has unpatched security vulnerabilities".

When substituting over HTTPS, the communication session with the remote
server is encrypted using TLS, as expected. It is guarded against
passive eavesdropping. However, the certificate itself is not validated
against the X.509 PKI (Mozilla's).

So, someone who could MITM as <https://ci.guix.gnu.org> could use their
own X.509 certificate and pretend to be that server.

With this capability, they could send you substitutes that your Guix
would then authenticate as having been signed by the official Guix
substitute signing key. Guix would also check that it was the substitute
it had asked for. So, unless we have missed something, the worst case is
you get the right data from the wrong server.

Guix's security model already supports mirroring of substitutes by
arbitrary remote servers. That is, the security model is about signing
substitutes, not authenticating remote servers. So, I think that it's
not very important to verify TLS certs here, and not needing a working
certificate store for substitutes improves reliability.

The relevant code for the latest Guix release is here:

https://git.savannah.gnu.org/cgit/guix.git/tree/guix/scripts/substitute.scm=
?h=3Dv1.0.1#n669
reply via email to
[Prev in Thread] Current Thread [Next in Thread]