Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
On Thu, Jan 8, 2009 at 12:46 AM, Emilio Pozuelo Monfort po...@ubuntu.com wrote: Hi Florian, and sorry for the long delay. Florian Weimer wrote: Well, it's not my package, so you don't have to listen to me. I'm also not speaking for the security team. Oh, should you have said that before, I'd have ignored all your comments :P But I appreciate your efforts to address my concerns. And I appreciate you raising your concerns. I don't want to bring anything to Debian if it has serious security issues. Specially if it's a library that is going to be used by lots of projects (including GNOME). From a PR point of view[1], I strongly suggest to disable it by default, and implement only the partial form which is present in Iceweasel (just look up wpad., and no DNS devolution). I've talked with upstream and he's told me he would accept any patch that disables any portion of the code that may have security implications, providing there's an option to enable it (at build time). He also prefers those portions of code to be disabled by default, so we're good. Instead of disable code could be made dependant of /etc/ configuration file. It is policy, you could install telnetd even if it is insecure in your local machine. A global configuration file will be nice. And if root want to shoot himself in is foot and allow user to do it why not. Regards Bastien -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
Hi Florian, and sorry for the long delay. Florian Weimer wrote: Well, it's not my package, so you don't have to listen to me. I'm also not speaking for the security team. Oh, should you have said that before, I'd have ignored all your comments :P But I appreciate your efforts to address my concerns. And I appreciate you raising your concerns. I don't want to bring anything to Debian if it has serious security issues. Specially if it's a library that is going to be used by lots of projects (including GNOME). From a PR point of view[1], I strongly suggest to disable it by default, and implement only the partial form which is present in Iceweasel (just look up wpad., and no DNS devolution). I've talked with upstream and he's told me he would accept any patch that disables any portion of the code that may have security implications, providing there's an option to enable it (at build time). He also prefers those portions of code to be disabled by default, so we're good. I've made a patch to disable WPAD DNS devolution, you can have a look at it at [1]. I'll wait for Nathaniel (upstream) to review it, and if it's fine will include it in my initial upload to Debian. Best wishes, Emilio [1] http://code.google.com/p/libproxy/issues/detail?id=20 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
Hi Florian, Thanks for your concerns. I appreciate it. Florian Weimer wrote: Not enabling WPAD with DNS devolution goes a long way towards dealing with this mess. Would you be fine if libproxy disabled WPAD by default? I think libproxy's developers are willing to do that, according to [1]. Regards, Emilio [1] http://mail.gnome.org/archives/desktop-devel-list/2008-December/msg00160.html -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
On Sun, Dec 21, 2008 at 9:30 PM, Emilio Pozuelo Monfort po...@ubuntu.com wrote: Hi Florian, Thanks for your concerns. I appreciate it. Florian Weimer wrote: Not enabling WPAD with DNS devolution goes a long way towards dealing with this mess. Would you be fine if libproxy disabled WPAD by default? I think libproxy's developers are willing to do that, according to [1]. Could you please explain how documentation is done, particularly inherence of configuration stuff. Could you give an exemple how can admin could forbid for all the user to use WPAD? Or could you give some pointer. Upstream documentation is quite sparse :-( Regards Bastien -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
* Emilio Pozuelo Monfort: Florian Weimer wrote: Not enabling WPAD with DNS devolution goes a long way towards dealing with this mess. Would you be fine if libproxy disabled WPAD by default? I think libproxy's developers are willing to do that, according to [1]. Well, it's not my package, so you don't have to listen to me. I'm also not speaking for the security team. But I appreciate your efforts to address my concerns. From a PR point of view[1], I strongly suggest to disable it by default, and implement only the partial form which is present in Iceweasel (just look up wpad., and no DNS devolution). If you absolutely must implement full WPAD, do not hard-code the list of TLDs/public suffixes, but use a separate Debian package which can be part of volatile. (Such a package might be useful on its own, even although the public suffix list concept is subject to fierce debates.) There might be another security issue in WPAD (I need to look into this), but it doesn't affect the wpad. variant. This variant suffers from the drawback that DNSSEC will eventually break it, though. [1] Otherwise, every couple of months, someone will notice that our TLD list is incomplete, and make a big fuzz about it. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
* Michael Banck: On Thu, Dec 18, 2008 at 12:51:34PM +0100, Bastien ROUCARIES wrote: On Thu, Dec 18, 2008 at 12:35 PM, Bjørn Mork bm...@dod.no wrote: Florian Weimer f...@deneb.enyo.de writes: I would very much like this library to become the *only* WPAD implementation anywhere. Hopefully eventually with some ability to define local policies, where the default Debian policy could be very strict. E.g. Never trust DNS for WPAD, or Never use WPAD at all. I tend to agree, we have not forbidden root to do rm -arf . It is the same, it is a policy problem. With current libproxy, could root forbid the use of WPAD, even if user ask it? Dan Winship, one of the libproxy authors, replied: |- The fact that it's broken doesn't change the fact that lots of | sites use it I think the question is if there are many sites where you cannot reach the WWW without performing full WPAD (including DNS devolution). |- It's already implemented by other programs in the distro anyway | (notably Firefox) This is incorrect. Firefox does not implement WPAD, according to this comment in the source code: } else if (mProxyConfig == eProxyConfig_WPAD) { // We diverge from the WPAD spec here in that we don't walk the // hosts's FQDN, stripping components until we hit a TLD. Doing so // is dangerous in the face of an incomplete list of TLDs, and TLDs // get added over time. We could consider doing only a single // substitution of the first component, if that proves to help // compatibility. Indeed, the critical part of WPAD is DNS devolution. (The last sentence is overly optimistic, though.) The DNS root operators probably wouldn't want us to roll out Mozilla's http://wpad/wpad.dat-style partial WPAD, either, because it creates useless traffic at the root. Traffic which can't even be offloaded similarly to the reverse lookups for RFC 1918 by the AS 112 project because it's well within the security perimeter of the global Internet. (Iceweasel doesn't this partial WPAD approach by default, so we have that covered.) | |- Its use in libproxy can be disabled system-wide by the | administrator | |I think in current libproxy WPAD is enabled by default though. We should |make sure that's changed. The TLD/SLD blacklist in libproxy for DNS devolution is incomplete. It should use the public suffix list from Mozilla. Maybe it should even be split into a separate package, so that it can be updated separately. The main risk is that someone has got a computer name like pc251.example.co.nz, which devolves to wpad.example.co.nz and wpad.co.nz, the latter being the problem. There's also a concern among large organizations that DNS devolution breaks separation of administrative domains along DNS domains (that is, deparment1.example.com is affected by a delegation of wpad.example.com by a second department). Not enabling WPAD with DNS devolution goes a long way towards dealing with this mess. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
* Michael Banck: WPAD is a broken protocol with security issues inherent to the DNS devolution mechanism (which is also performed by libproxy). Please don't add implementations to the Debian archive. As I understand it, this library is made so that application writers don't duplicate the code all over the place. Which is generally fine. If you have a better method for proxy configuration (which doesn't include changing the network all over the world in order to use it), maybe the GNOME project can use that instead. I doubt that WPAD is necessary in lots of places to get to the WWW. Unfortunately, due to the brokenness of the DNS version of the protocol, clients are potentially exposed on any network which doesn't implement the expected variant. This is a very unfortunate situation. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
* Emilio Pozuelo Monfort: Description : automatic proxy configuration management library libproxy is a lightweight library which makes it easy to develop applications proxy-aware with a simple and stable API. WPAD is a broken protocol with security issues inherent to the DNS devolution mechanism (which is also performed by libproxy). Please don't add implementations to the Debian archive. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
On Thu, Dec 18, 2008 at 09:30:21AM +0100, Florian Weimer wrote: * Emilio Pozuelo Monfort: Description : automatic proxy configuration management library libproxy is a lightweight library which makes it easy to develop applications proxy-aware with a simple and stable API. WPAD is a broken protocol with security issues inherent to the DNS devolution mechanism (which is also performed by libproxy). Please don't add implementations to the Debian archive. As I understand it, this library is made so that application writers don't duplicate the code all over the place. If you have a better method for proxy configuration (which doesn't include changing the network all over the world in order to use it), maybe the GNOME project can use that instead. Michael -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
Florian Weimer f...@deneb.enyo.de writes: * Emilio Pozuelo Monfort: Description : automatic proxy configuration management library libproxy is a lightweight library which makes it easy to develop applications proxy-aware with a simple and stable API. WPAD is a broken protocol with security issues inherent to the DNS devolution mechanism (which is also performed by libproxy). Agreed. Still, it is implemented and used by a number of web proxy using applications. Please don't add implementations to the Debian archive. Isn't the intention to replace existing and future implementations with this library, thereby confining security issues to a single library? How many WPAD implementations are there currently in the archive? Won't adding this library be an improvement in the long run? I would very much like this library to become the *only* WPAD implementation anywhere. Hopefully eventually with some ability to define local policies, where the default Debian policy could be very strict. E.g. Never trust DNS for WPAD, or Never use WPAD at all. Bjørn -- How can you say that trees are bad -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
On Thu, Dec 18, 2008 at 12:35 PM, Bjørn Mork bm...@dod.no wrote: Florian Weimer f...@deneb.enyo.de writes: I would very much like this library to become the *only* WPAD implementation anywhere. Hopefully eventually with some ability to define local policies, where the default Debian policy could be very strict. E.g. Never trust DNS for WPAD, or Never use WPAD at all. I tend to agree, we have not forbidden root to do rm -arf . It is the same, it is a policy problem. With current libproxy, could root forbid the use of WPAD, even if user ask it? Regards Bastien -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
On Thu, Dec 18, 2008 at 12:51:34PM +0100, Bastien ROUCARIES wrote: On Thu, Dec 18, 2008 at 12:35 PM, Bjørn Mork bm...@dod.no wrote: Florian Weimer f...@deneb.enyo.de writes: I would very much like this library to become the *only* WPAD implementation anywhere. Hopefully eventually with some ability to define local policies, where the default Debian policy could be very strict. E.g. Never trust DNS for WPAD, or Never use WPAD at all. I tend to agree, we have not forbidden root to do rm -arf . It is the same, it is a policy problem. With current libproxy, could root forbid the use of WPAD, even if user ask it? Dan Winship, one of the libproxy authors, replied: |- The fact that it's broken doesn't change the fact that lots of | sites use it | |- It's already implemented by other programs in the distro anyway | (notably Firefox) | |- Its use in libproxy can be disabled system-wide by the | administrator | |I think in current libproxy WPAD is enabled by default though. We should |make sure that's changed. Michael -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
On Thu, Dec 18, 2008 at 6:13 PM, Michael Banck mba...@debian.org wrote: On Thu, Dec 18, 2008 at 12:51:34PM +0100, Bastien ROUCARIES wrote: On Thu, Dec 18, 2008 at 12:35 PM, Bjørn Mork bm...@dod.no wrote: Florian Weimer f...@deneb.enyo.de writes: I would very much like this library to become the *only* WPAD implementation anywhere. Hopefully eventually with some ability to define local policies, where the default Debian policy could be very strict. E.g. Never trust DNS for WPAD, or Never use WPAD at all. I tend to agree, we have not forbidden root to do rm -arf . It is the same, it is a policy problem. With current libproxy, could root forbid the use of WPAD, even if user ask it? Dan Winship, one of the libproxy authors, replied: |- The fact that it's broken doesn't change the fact that lots of | sites use it | |- It's already implemented by other programs in the distro anyway | (notably Firefox) | |- Its use in libproxy can be disabled system-wide by the | administrator | |I think in current libproxy WPAD is enabled by default though. We should |make sure that's changed. I will be interesting also to add a link or copy verbatim (with author permission) in README.Debian, the poisson pill of this protocol, see for instance http://www.mercenary.net/blog/index.php?/archives/42-HOWTO-WPAD.html and some explanation about (in)security of wpad. Regards Bastien -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#509063: ITP: libproxy -- automatic proxy configuration management library
Package: wnpp Severity: wishlist Owner: Emilio Pozuelo Monfort po...@ubuntu.com * Package name: libproxy Version : 0.2.3 Upstream Author : Nathaniel McCallum nathan...@natemccallum.com Alex Panaitkipp...@gmail.com * URL : http://code.google.com/p/libproxy/ * License : LGPL Programming Lang: C Description : automatic proxy configuration management library libproxy is a lightweight library which makes it easy to develop applications proxy-aware with a simple and stable API. -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org