On Wed, Oct 25, 2017 at 1:29 PM Emmanuel Charpentier < emanuel.charpent...@gmail.com> wrote:
> Ouch ! The security proble so well explained by William turns out to be a > much larger "social" problem... > > > Worth attacking ? > I think it's better to think of computer security as being about all about defense in depth, multiple levels, weighing tradeoffs involving inconvenience versus safety, etc. For example, Volker remarked: > "Pretty much anybody can host a download mirror by sending Harald an email, so requiring https to download files doesn't mean much." To me, that is not really the best way to think about security. To take that perspective to the extreme, it is kind of like saying "The NSA can break into your house and install a key logger, so nobody should bother with passwords." Yes, people can add their site as a mirror by requesting to be added. That is definitely a very real threat vector for us. However, it's not the same threat as not requiring https. Imagine again that you are interested in gaining access to a sage user's data. You have many options, including: (1) somehow spoof one of the http mirrors, (2) setup a new mirror and email Harald, ... It's not impossible to think of situations where (1) could be more desirable for evil you than (2). E.g., what if your target sage use is at a workshop (which sage devs go to all the time), and you could have some influence over the network at that location? Doing (2) exposes you to detection by the entire world potentially (so now your own attack surface is larger, and heh, you are really shy), requires setting up stable infrastructure, takes a lot bandwidth, and is harder to cover your tracks. Doing (1) could be much better for you... There's reason distros like Debian, etc., put a lot of thought into secure hashes, mirrors, etc... > > -- > Emmanuel Charpentier > > > Le mercredi 25 octobre 2017 21:45:37 UTC+2, Volker Braun a écrit : >> >> Pretty much anybody can host a download mirror by sending Harald an >> email, so requiring https to download files doesn't mean much. >> >> >> On Wednesday, October 25, 2017 at 6:32:26 PM UTC+2, William wrote: >>> >>> >>> On Wed, Oct 25, 2017 at 9:12 AM Emmanuel Charpentier < >>> emanuel.c...@gmail.com> wrote: >>> >>>> During the [discussion]( >>>> https://groups.google.com/d/msg/sage-devel/fE45025Wphs/mKdCAeNhAgAJ) >>>> of the inclusion of OpenSSL, a few remarks were mafdeabout the security of >>>> our distribution infrastructure. >>>> >>>> >>>> It has been noted that http is ridiculously easy to hijack >>>> <https://groups.google.com/d/msg/sage-devel/fE45025Wphs/3dfTByrIAQAJ>, >>>> and some have remarked >>>> <https://groups.google.com/d/msg/sage-devel/fE45025Wphs/FheYtjBWAAAJ> >>>> that this potential threat also applied to the http downloads from our >>>> mirrors. >>>> >>>> *I think we should consider this issue, an plan to post (Real Soon Now) >>>> a call for discussion about this.* What is the relevant list ? >>>> >>>> Others remarked >>>> <https://groups.google.com/d/msg/sage-devel/fE45025Wphs/podOAX89AAAJ> >>>> that a non-SSL-enabled pip, which impedes, for example, downloading from >>>> Pipy, sort-of enhanced security by suppressing a possible source of attack. >>>> No comments... >>>> >>>> I have a few questions : >>>> * Would it be difficult/onerous/cumbersome to ask our mirrors to switch >>>> to https-only service ? >>>> * Would such a measure significantly lower the possibility of attacks >>>> of a Sage user/developer machine via "http hijacking" ? >>>> * what is the likelihood of such an attack ? >>>> >>> >>> I would estimate the likelihood that some Sage users is attacked in this >>> way at 99.99%. It's probably already happened. Done right it would not be >>> detected. There are many extremely smart people whose jobs are related to >>> crypto, and Sage is one of the standard tools of choice for cryptographers, >>> which makes it a very natural target. If your fulltime job involved >>> gathering intelligence about cryptanalytic techniques, with bonus points >>> for anything not publicly known, it's not too much of a stretch to imagine >>> you might like access to all private files on the computers of cryptography >>> researchers (e.g., papers/research in progress/private ideas). All it >>> would take would be one slightly modified "sage -i" to install something on >>> a sage-user's computer, and you would own all their data. >>> >>> It is irresponsible of us (me) to distribute Sage without full >>> https/openssl support, at a minimum. I really appreciate everybody's help >>> to resolve this... >>> >>> William >>> >>> >>>> >>>> Your inputs, please... >>>> >>>> -- >>>> Emmanuel Charpentier >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "sage-devel" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to sage-devel+...@googlegroups.com. >>>> To post to this group, send email to sage-...@googlegroups.com. >>>> Visit this group at https://groups.google.com/group/sage-devel. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >>> -- William Stein >>> >> -- > You received this message because you are subscribed to the Google Groups > "sage-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-devel+unsubscr...@googlegroups.com. > To post to this group, send email to sage-devel@googlegroups.com. > Visit this group at https://groups.google.com/group/sage-devel. > For more options, visit https://groups.google.com/d/optout. > -- -- William Stein -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
