On Wed, Oct 25, 2017 at 9:12 AM Emmanuel Charpentier < emanuel.charpent...@gmail.com> wrote:
> During the [discussion]( > https://groups.google.com/d/msg/sage-devel/fE45025Wphs/mKdCAeNhAgAJ) of > the inclusion of OpenSSL, a few remarks were mafdeabout the security of our > distribution infrastructure. > > > It has been noted that http is ridiculously easy to hijack > <https://groups.google.com/d/msg/sage-devel/fE45025Wphs/3dfTByrIAQAJ>, > and some have remarked > <https://groups.google.com/d/msg/sage-devel/fE45025Wphs/FheYtjBWAAAJ> > that this potential threat also applied to the http downloads from our > mirrors. > > *I think we should consider this issue, an plan to post (Real Soon Now) a > call for discussion about this.* What is the relevant list ? > > Others remarked > <https://groups.google.com/d/msg/sage-devel/fE45025Wphs/podOAX89AAAJ> > that a non-SSL-enabled pip, which impedes, for example, downloading from > Pipy, sort-of enhanced security by suppressing a possible source of attack. > No comments... > > I have a few questions : > * Would it be difficult/onerous/cumbersome to ask our mirrors to switch to > https-only service ? > * Would such a measure significantly lower the possibility of attacks of a > Sage user/developer machine via "http hijacking" ? > * what is the likelihood of such an attack ? > I would estimate the likelihood that some Sage users is attacked in this way at 99.99%. It's probably already happened. Done right it would not be detected. There are many extremely smart people whose jobs are related to crypto, and Sage is one of the standard tools of choice for cryptographers, which makes it a very natural target. If your fulltime job involved gathering intelligence about cryptanalytic techniques, with bonus points for anything not publicly known, it's not too much of a stretch to imagine you might like access to all private files on the computers of cryptography researchers (e.g., papers/research in progress/private ideas). All it would take would be one slightly modified "sage -i" to install something on a sage-user's computer, and you would own all their data. It is irresponsible of us (me) to distribute Sage without full https/openssl support, at a minimum. I really appreciate everybody's help to resolve this... William > > Your inputs, please... > > -- > Emmanuel Charpentier > > -- > You received this message because you are subscribed to the Google Groups > "sage-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-devel+unsubscr...@googlegroups.com. > To post to this group, send email to sage-devel@googlegroups.com. > Visit this group at https://groups.google.com/group/sage-devel. > For more options, visit https://groups.google.com/d/optout. > -- -- William Stein -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
