Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
On Thu, Jan 8, 2009 at 12:46 AM, Emilio Pozuelo Monfort po...@ubuntu.com wrote: Hi Florian, and sorry for the long delay. Florian Weimer wrote: Well, it's not my package, so you don't have to listen to me. I'm also not speaking for the security team. Oh, should you have said that before, I'd have ignored all your comments :P But I appreciate your efforts to address my concerns. And I appreciate you raising your concerns. I don't want to bring anything to Debian if it has serious security issues. Specially if it's a library that is going to be used by lots of projects (including GNOME). From a PR point of view[1], I strongly suggest to disable it by default, and implement only the partial form which is present in Iceweasel (just look up wpad., and no DNS devolution). I've talked with upstream and he's told me he would accept any patch that disables any portion of the code that may have security implications, providing there's an option to enable it (at build time). He also prefers those portions of code to be disabled by default, so we're good. Instead of disable code could be made dependant of /etc/ configuration file. It is policy, you could install telnetd even if it is insecure in your local machine. A global configuration file will be nice. And if root want to shoot himself in is foot and allow user to do it why not. Regards Bastien -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
Hi Florian, and sorry for the long delay. Florian Weimer wrote: Well, it's not my package, so you don't have to listen to me. I'm also not speaking for the security team. Oh, should you have said that before, I'd have ignored all your comments :P But I appreciate your efforts to address my concerns. And I appreciate you raising your concerns. I don't want to bring anything to Debian if it has serious security issues. Specially if it's a library that is going to be used by lots of projects (including GNOME). From a PR point of view[1], I strongly suggest to disable it by default, and implement only the partial form which is present in Iceweasel (just look up wpad., and no DNS devolution). I've talked with upstream and he's told me he would accept any patch that disables any portion of the code that may have security implications, providing there's an option to enable it (at build time). He also prefers those portions of code to be disabled by default, so we're good. I've made a patch to disable WPAD DNS devolution, you can have a look at it at [1]. I'll wait for Nathaniel (upstream) to review it, and if it's fine will include it in my initial upload to Debian. Best wishes, Emilio [1] http://code.google.com/p/libproxy/issues/detail?id=20 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
Hi Florian, Thanks for your concerns. I appreciate it. Florian Weimer wrote: Not enabling WPAD with DNS devolution goes a long way towards dealing with this mess. Would you be fine if libproxy disabled WPAD by default? I think libproxy's developers are willing to do that, according to [1]. Regards, Emilio [1] http://mail.gnome.org/archives/desktop-devel-list/2008-December/msg00160.html -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
On Sun, Dec 21, 2008 at 9:30 PM, Emilio Pozuelo Monfort po...@ubuntu.com wrote: Hi Florian, Thanks for your concerns. I appreciate it. Florian Weimer wrote: Not enabling WPAD with DNS devolution goes a long way towards dealing with this mess. Would you be fine if libproxy disabled WPAD by default? I think libproxy's developers are willing to do that, according to [1]. Could you please explain how documentation is done, particularly inherence of configuration stuff. Could you give an exemple how can admin could forbid for all the user to use WPAD? Or could you give some pointer. Upstream documentation is quite sparse :-( Regards Bastien -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
* Emilio Pozuelo Monfort: Florian Weimer wrote: Not enabling WPAD with DNS devolution goes a long way towards dealing with this mess. Would you be fine if libproxy disabled WPAD by default? I think libproxy's developers are willing to do that, according to [1]. Well, it's not my package, so you don't have to listen to me. I'm also not speaking for the security team. But I appreciate your efforts to address my concerns. From a PR point of view[1], I strongly suggest to disable it by default, and implement only the partial form which is present in Iceweasel (just look up wpad., and no DNS devolution). If you absolutely must implement full WPAD, do not hard-code the list of TLDs/public suffixes, but use a separate Debian package which can be part of volatile. (Such a package might be useful on its own, even although the public suffix list concept is subject to fierce debates.) There might be another security issue in WPAD (I need to look into this), but it doesn't affect the wpad. variant. This variant suffers from the drawback that DNSSEC will eventually break it, though. [1] Otherwise, every couple of months, someone will notice that our TLD list is incomplete, and make a big fuzz about it. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
* Michael Banck:
On Thu, Dec 18, 2008 at 12:51:34PM +0100, Bastien ROUCARIES wrote:
On Thu, Dec 18, 2008 at 12:35 PM, Bjørn Mork bm...@dod.no wrote:
Florian Weimer f...@deneb.enyo.de writes:
I would very much like this library to become the *only* WPAD
implementation anywhere. Hopefully eventually with some ability to
define local policies, where the default Debian policy could be very
strict. E.g. Never trust DNS for WPAD, or Never use WPAD at all.
I tend to agree, we have not forbidden root to do rm -arf .
It is the same, it is a policy problem. With current libproxy, could root
forbid the use of WPAD, even if user ask it?
Dan Winship, one of the libproxy authors, replied:
|- The fact that it's broken doesn't change the fact that lots of
| sites use it
I think the question is if there are many sites where you cannot reach
the WWW without performing full WPAD (including DNS devolution).
|- It's already implemented by other programs in the distro anyway
| (notably Firefox)
This is incorrect. Firefox does not implement WPAD, according to this
comment in the source code:
} else if (mProxyConfig == eProxyConfig_WPAD) {
// We diverge from the WPAD spec here in that we don't walk the
// hosts's FQDN, stripping components until we hit a TLD. Doing so
// is dangerous in the face of an incomplete list of TLDs, and TLDs
// get added over time. We could consider doing only a single
// substitution of the first component, if that proves to help
// compatibility.
Indeed, the critical part of WPAD is DNS devolution. (The last
sentence is overly optimistic, though.)
The DNS root operators probably wouldn't want us to roll out Mozilla's
http://wpad/wpad.dat-style partial WPAD, either, because it creates
useless traffic at the root. Traffic which can't even be offloaded
similarly to the reverse lookups for RFC 1918 by the AS 112 project
because it's well within the security perimeter of the global
Internet. (Iceweasel doesn't this partial WPAD approach by default,
so we have that covered.)
|
|- Its use in libproxy can be disabled system-wide by the
| administrator
|
|I think in current libproxy WPAD is enabled by default though. We should
|make sure that's changed.
The TLD/SLD blacklist in libproxy for DNS devolution is incomplete.
It should use the public suffix list from Mozilla. Maybe it should
even be split into a separate package, so that it can be updated
separately.
The main risk is that someone has got a computer name like
pc251.example.co.nz, which devolves to wpad.example.co.nz and
wpad.co.nz, the latter being the problem. There's also a concern
among large organizations that DNS devolution breaks separation of
administrative domains along DNS domains (that is,
deparment1.example.com is affected by a delegation of wpad.example.com
by a second department).
Not enabling WPAD with DNS devolution goes a long way towards dealing
with this mess.
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
* Michael Banck: WPAD is a broken protocol with security issues inherent to the DNS devolution mechanism (which is also performed by libproxy). Please don't add implementations to the Debian archive. As I understand it, this library is made so that application writers don't duplicate the code all over the place. Which is generally fine. If you have a better method for proxy configuration (which doesn't include changing the network all over the world in order to use it), maybe the GNOME project can use that instead. I doubt that WPAD is necessary in lots of places to get to the WWW. Unfortunately, due to the brokenness of the DNS version of the protocol, clients are potentially exposed on any network which doesn't implement the expected variant. This is a very unfortunate situation. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
* Emilio Pozuelo Monfort: Description : automatic proxy configuration management library libproxy is a lightweight library which makes it easy to develop applications proxy-aware with a simple and stable API. WPAD is a broken protocol with security issues inherent to the DNS devolution mechanism (which is also performed by libproxy). Please don't add implementations to the Debian archive. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
On Thu, Dec 18, 2008 at 09:30:21AM +0100, Florian Weimer wrote: * Emilio Pozuelo Monfort: Description : automatic proxy configuration management library libproxy is a lightweight library which makes it easy to develop applications proxy-aware with a simple and stable API. WPAD is a broken protocol with security issues inherent to the DNS devolution mechanism (which is also performed by libproxy). Please don't add implementations to the Debian archive. As I understand it, this library is made so that application writers don't duplicate the code all over the place. If you have a better method for proxy configuration (which doesn't include changing the network all over the world in order to use it), maybe the GNOME project can use that instead. Michael -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
Florian Weimer f...@deneb.enyo.de writes: * Emilio Pozuelo Monfort: Description : automatic proxy configuration management library libproxy is a lightweight library which makes it easy to develop applications proxy-aware with a simple and stable API. WPAD is a broken protocol with security issues inherent to the DNS devolution mechanism (which is also performed by libproxy). Agreed. Still, it is implemented and used by a number of web proxy using applications. Please don't add implementations to the Debian archive. Isn't the intention to replace existing and future implementations with this library, thereby confining security issues to a single library? How many WPAD implementations are there currently in the archive? Won't adding this library be an improvement in the long run? I would very much like this library to become the *only* WPAD implementation anywhere. Hopefully eventually with some ability to define local policies, where the default Debian policy could be very strict. E.g. Never trust DNS for WPAD, or Never use WPAD at all. Bjørn -- How can you say that trees are bad -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
On Thu, Dec 18, 2008 at 12:35 PM, Bjørn Mork bm...@dod.no wrote: Florian Weimer f...@deneb.enyo.de writes: I would very much like this library to become the *only* WPAD implementation anywhere. Hopefully eventually with some ability to define local policies, where the default Debian policy could be very strict. E.g. Never trust DNS for WPAD, or Never use WPAD at all. I tend to agree, we have not forbidden root to do rm -arf . It is the same, it is a policy problem. With current libproxy, could root forbid the use of WPAD, even if user ask it? Regards Bastien -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
On Thu, Dec 18, 2008 at 12:51:34PM +0100, Bastien ROUCARIES wrote: On Thu, Dec 18, 2008 at 12:35 PM, Bjørn Mork bm...@dod.no wrote: Florian Weimer f...@deneb.enyo.de writes: I would very much like this library to become the *only* WPAD implementation anywhere. Hopefully eventually with some ability to define local policies, where the default Debian policy could be very strict. E.g. Never trust DNS for WPAD, or Never use WPAD at all. I tend to agree, we have not forbidden root to do rm -arf . It is the same, it is a policy problem. With current libproxy, could root forbid the use of WPAD, even if user ask it? Dan Winship, one of the libproxy authors, replied: |- The fact that it's broken doesn't change the fact that lots of | sites use it | |- It's already implemented by other programs in the distro anyway | (notably Firefox) | |- Its use in libproxy can be disabled system-wide by the | administrator | |I think in current libproxy WPAD is enabled by default though. We should |make sure that's changed. Michael -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library
On Thu, Dec 18, 2008 at 6:13 PM, Michael Banck mba...@debian.org wrote: On Thu, Dec 18, 2008 at 12:51:34PM +0100, Bastien ROUCARIES wrote: On Thu, Dec 18, 2008 at 12:35 PM, Bjørn Mork bm...@dod.no wrote: Florian Weimer f...@deneb.enyo.de writes: I would very much like this library to become the *only* WPAD implementation anywhere. Hopefully eventually with some ability to define local policies, where the default Debian policy could be very strict. E.g. Never trust DNS for WPAD, or Never use WPAD at all. I tend to agree, we have not forbidden root to do rm -arf . It is the same, it is a policy problem. With current libproxy, could root forbid the use of WPAD, even if user ask it? Dan Winship, one of the libproxy authors, replied: |- The fact that it's broken doesn't change the fact that lots of | sites use it | |- It's already implemented by other programs in the distro anyway | (notably Firefox) | |- Its use in libproxy can be disabled system-wide by the | administrator | |I think in current libproxy WPAD is enabled by default though. We should |make sure that's changed. I will be interesting also to add a link or copy verbatim (with author permission) in README.Debian, the poisson pill of this protocol, see for instance http://www.mercenary.net/blog/index.php?/archives/42-HOWTO-WPAD.html and some explanation about (in)security of wpad. Regards Bastien -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
