Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

2009-01-08 Thread Bastien ROUCARIES
On Thu, Jan 8, 2009 at 12:46 AM, Emilio Pozuelo Monfort
po...@ubuntu.com wrote:
 Hi Florian, and sorry for the long delay.

 Florian Weimer wrote:
 Well, it's not my package, so you don't have to listen to me.  I'm
 also not speaking for the security team.

 Oh, should you have said that before, I'd have ignored all your comments :P

 But I appreciate your
 efforts to address my concerns.

 And I appreciate you raising your concerns. I don't want to bring anything to
 Debian if it has serious security issues. Specially if it's a library that is
 going to be used by lots of projects (including GNOME).

From a PR point of view[1], I strongly suggest to disable it by
 default, and implement only the partial form which is present in
 Iceweasel (just look up wpad., and no DNS devolution).

 I've talked with upstream and he's told me he would accept any patch that
 disables any portion of the code that may have security implications, 
 providing
 there's an option to enable it (at build time). He also prefers those portions
 of code to be disabled by default, so we're good.

Instead of disable code could be made dependant of /etc/ configuration
file. It is policy, you could install telnetd even if it is insecure
in your local machine.

A global configuration file will be nice. And if root want to shoot
himself in is foot and allow user to do it why not.

Regards

Bastien


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

2009-01-07 Thread Emilio Pozuelo Monfort
Hi Florian, and sorry for the long delay.

Florian Weimer wrote:
 Well, it's not my package, so you don't have to listen to me.  I'm
 also not speaking for the security team.

Oh, should you have said that before, I'd have ignored all your comments :P

 But I appreciate your
 efforts to address my concerns.

And I appreciate you raising your concerns. I don't want to bring anything to
Debian if it has serious security issues. Specially if it's a library that is
going to be used by lots of projects (including GNOME).

From a PR point of view[1], I strongly suggest to disable it by
 default, and implement only the partial form which is present in
 Iceweasel (just look up wpad., and no DNS devolution).

I've talked with upstream and he's told me he would accept any patch that
disables any portion of the code that may have security implications, providing
there's an option to enable it (at build time). He also prefers those portions
of code to be disabled by default, so we're good.

I've made a patch to disable WPAD DNS devolution, you can have a look at it at
[1]. I'll wait for Nathaniel (upstream) to review it, and if it's fine will
include it in my initial upload to Debian.

Best wishes,
Emilio

[1] http://code.google.com/p/libproxy/issues/detail?id=20


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

2008-12-21 Thread Emilio Pozuelo Monfort
Hi Florian,

Thanks for your concerns. I appreciate it.

Florian Weimer wrote:
 Not enabling WPAD with DNS devolution goes a long way towards dealing
 with this mess.

Would you be fine if libproxy disabled WPAD by default? I think libproxy's
developers are willing to do that, according to [1].

Regards,
Emilio

[1] 
http://mail.gnome.org/archives/desktop-devel-list/2008-December/msg00160.html


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

2008-12-21 Thread Bastien ROUCARIES
On Sun, Dec 21, 2008 at 9:30 PM, Emilio Pozuelo Monfort
po...@ubuntu.com wrote:
 Hi Florian,

 Thanks for your concerns. I appreciate it.

 Florian Weimer wrote:
 Not enabling WPAD with DNS devolution goes a long way towards dealing
 with this mess.

 Would you be fine if libproxy disabled WPAD by default? I think libproxy's
 developers are willing to do that, according to [1].

Could you please explain how documentation is done, particularly
inherence of configuration stuff.
Could you give an exemple how can admin could forbid for all the user
to use WPAD? Or could you give some pointer.
Upstream documentation is quite sparse :-(

Regards

Bastien


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

2008-12-21 Thread Florian Weimer
* Emilio Pozuelo Monfort:

 Florian Weimer wrote:
 Not enabling WPAD with DNS devolution goes a long way towards dealing
 with this mess.

 Would you be fine if libproxy disabled WPAD by default? I think libproxy's
 developers are willing to do that, according to [1].

Well, it's not my package, so you don't have to listen to me.  I'm
also not speaking for the security team.  But I appreciate your
efforts to address my concerns.

From a PR point of view[1], I strongly suggest to disable it by
default, and implement only the partial form which is present in
Iceweasel (just look up wpad., and no DNS devolution).  If you
absolutely must implement full WPAD, do not hard-code the list of
TLDs/public suffixes, but use a separate Debian package which can be
part of volatile.  (Such a package might be useful on its own, even
although the public suffix list concept is subject to fierce debates.)

There might be another security issue in WPAD (I need to look into
this), but it doesn't affect the wpad. variant.  This variant
suffers from the drawback that DNSSEC will eventually break it,
though.

[1] Otherwise, every couple of months, someone will notice that our
TLD list is incomplete, and make a big fuzz about it.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

2008-12-19 Thread Florian Weimer
* Michael Banck:

 On Thu, Dec 18, 2008 at 12:51:34PM +0100, Bastien ROUCARIES wrote:
 On Thu, Dec 18, 2008 at 12:35 PM, Bjørn Mork bm...@dod.no wrote:
  Florian Weimer f...@deneb.enyo.de writes:
 
  I would very much like this library to become the *only* WPAD
  implementation anywhere.  Hopefully eventually with some ability to
  define local policies, where the default Debian policy could be very
  strict.  E.g. Never trust DNS for WPAD, or Never use WPAD at all.
 
 I tend to agree, we have not forbidden root to do rm -arf .
 It is the same, it is a policy problem. With current libproxy, could root
  forbid the use of WPAD, even if user ask it?

 Dan Winship, one of the libproxy authors, replied:

 |- The fact that it's broken doesn't change the fact that lots of
 |  sites use it

I think the question is if there are many sites where you cannot reach
the WWW without performing full WPAD (including DNS devolution).

 |- It's already implemented by other programs in the distro anyway
 |  (notably Firefox)

This is incorrect.  Firefox does not implement WPAD, according to this
comment in the source code:

} else if (mProxyConfig == eProxyConfig_WPAD) {
// We diverge from the WPAD spec here in that we don't walk the
// hosts's FQDN, stripping components until we hit a TLD.  Doing so
// is dangerous in the face of an incomplete list of TLDs, and TLDs
// get added over time.  We could consider doing only a single
// substitution of the first component, if that proves to help
// compatibility.

Indeed, the critical part of WPAD is DNS devolution.  (The last
sentence is overly optimistic, though.)

The DNS root operators probably wouldn't want us to roll out Mozilla's
http://wpad/wpad.dat-style partial WPAD, either, because it creates
useless traffic at the root.  Traffic which can't even be offloaded
similarly to the reverse lookups for RFC 1918 by the AS 112 project
because it's well within the security perimeter of the global
Internet.  (Iceweasel doesn't this partial WPAD approach by default,
so we have that covered.)

 |
 |- Its use in libproxy can be disabled system-wide by the
 |  administrator
 |
 |I think in current libproxy WPAD is enabled by default though. We should
 |make sure that's changed.

The TLD/SLD blacklist in libproxy for DNS devolution is incomplete.
It should use the public suffix list from Mozilla.  Maybe it should
even be split into a separate package, so that it can be updated
separately.

The main risk is that someone has got a computer name like
pc251.example.co.nz, which devolves to wpad.example.co.nz and
wpad.co.nz, the latter being the problem.  There's also a concern
among large organizations that DNS devolution breaks separation of
administrative domains along DNS domains (that is,
deparment1.example.com is affected by a delegation of wpad.example.com
by a second department).

Not enabling WPAD with DNS devolution goes a long way towards dealing
with this mess.


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

2008-12-19 Thread Florian Weimer
* Michael Banck:

 WPAD is a broken protocol with security issues inherent to the DNS
 devolution mechanism (which is also performed by libproxy).  Please
 don't add implementations to the Debian archive.

 As I understand it, this library is made so that application writers
 don't duplicate the code all over the place.

Which is generally fine.

 If you have a better method for proxy configuration (which doesn't
 include changing the network all over the world in order to use it),
 maybe the GNOME project can use that instead.

I doubt that WPAD is necessary in lots of places to get to the WWW.
Unfortunately, due to the brokenness of the DNS version of the
protocol, clients are potentially exposed on any network which doesn't
implement the expected variant.  This is a very unfortunate situation.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

2008-12-18 Thread Florian Weimer
* Emilio Pozuelo Monfort:

   Description : automatic proxy configuration management library

  libproxy is a lightweight library which makes it easy to develop
  applications proxy-aware with a simple and stable API.

WPAD is a broken protocol with security issues inherent to the DNS
devolution mechanism (which is also performed by libproxy).  Please
don't add implementations to the Debian archive.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

2008-12-18 Thread Michael Banck
On Thu, Dec 18, 2008 at 09:30:21AM +0100, Florian Weimer wrote:
 * Emilio Pozuelo Monfort:
 
Description : automatic proxy configuration management library
 
   libproxy is a lightweight library which makes it easy to develop
   applications proxy-aware with a simple and stable API.
 
 WPAD is a broken protocol with security issues inherent to the DNS
 devolution mechanism (which is also performed by libproxy).  Please
 don't add implementations to the Debian archive.

As I understand it, this library is made so that application writers
don't duplicate the code all over the place.

If you have a better method for proxy configuration (which doesn't
include changing the network all over the world in order to use it),
maybe the GNOME project can use that instead.


Michael


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

2008-12-18 Thread Bjørn Mork
Florian Weimer f...@deneb.enyo.de writes:
 * Emilio Pozuelo Monfort:

   Description : automatic proxy configuration management library

  libproxy is a lightweight library which makes it easy to develop
  applications proxy-aware with a simple and stable API.

 WPAD is a broken protocol with security issues inherent to the DNS
 devolution mechanism (which is also performed by libproxy). 

Agreed.  Still, it is implemented and used by a number of web proxy
using applications.

 Please don't add implementations to the Debian archive.

Isn't the intention to replace existing and future implementations with
this library, thereby confining security issues to a single library?
How many WPAD implementations are there currently in the archive?  Won't
adding this library be an improvement in the long run?

I would very much like this library to become the *only* WPAD
implementation anywhere.  Hopefully eventually with some ability to
define local policies, where the default Debian policy could be very
strict.  E.g. Never trust DNS for WPAD, or Never use WPAD at all.


Bjørn
-- 
How can you say that trees are bad


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

2008-12-18 Thread Bastien ROUCARIES
On Thu, Dec 18, 2008 at 12:35 PM, Bjørn Mork bm...@dod.no wrote:
 Florian Weimer f...@deneb.enyo.de writes:

 I would very much like this library to become the *only* WPAD
 implementation anywhere.  Hopefully eventually with some ability to
 define local policies, where the default Debian policy could be very
 strict.  E.g. Never trust DNS for WPAD, or Never use WPAD at all.

I tend to agree, we have not forbidden root to do rm -arf .
It is the same, it is a policy problem. With current libproxy, could root
 forbid the use of WPAD, even if user ask it?

Regards

Bastien


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

2008-12-18 Thread Michael Banck
On Thu, Dec 18, 2008 at 12:51:34PM +0100, Bastien ROUCARIES wrote:
 On Thu, Dec 18, 2008 at 12:35 PM, Bjørn Mork bm...@dod.no wrote:
  Florian Weimer f...@deneb.enyo.de writes:
 
  I would very much like this library to become the *only* WPAD
  implementation anywhere.  Hopefully eventually with some ability to
  define local policies, where the default Debian policy could be very
  strict.  E.g. Never trust DNS for WPAD, or Never use WPAD at all.
 
 I tend to agree, we have not forbidden root to do rm -arf .
 It is the same, it is a policy problem. With current libproxy, could root
  forbid the use of WPAD, even if user ask it?

Dan Winship, one of the libproxy authors, replied:

|- The fact that it's broken doesn't change the fact that lots of
|  sites use it
|
|- It's already implemented by other programs in the distro anyway
|  (notably Firefox)
|
|- Its use in libproxy can be disabled system-wide by the
|  administrator
|
|I think in current libproxy WPAD is enabled by default though. We should
|make sure that's changed.


Michael


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org



Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

2008-12-18 Thread Bastien ROUCARIES
On Thu, Dec 18, 2008 at 6:13 PM, Michael Banck mba...@debian.org wrote:
 On Thu, Dec 18, 2008 at 12:51:34PM +0100, Bastien ROUCARIES wrote:
 On Thu, Dec 18, 2008 at 12:35 PM, Bjørn Mork bm...@dod.no wrote:
  Florian Weimer f...@deneb.enyo.de writes:

  I would very much like this library to become the *only* WPAD
  implementation anywhere.  Hopefully eventually with some ability to
  define local policies, where the default Debian policy could be very
  strict.  E.g. Never trust DNS for WPAD, or Never use WPAD at all.

 I tend to agree, we have not forbidden root to do rm -arf .
 It is the same, it is a policy problem. With current libproxy, could root
  forbid the use of WPAD, even if user ask it?

 Dan Winship, one of the libproxy authors, replied:

 |- The fact that it's broken doesn't change the fact that lots of
 |  sites use it
 |
 |- It's already implemented by other programs in the distro anyway
 |  (notably Firefox)
 |
 |- Its use in libproxy can be disabled system-wide by the
 |  administrator
 |
 |I think in current libproxy WPAD is enabled by default though. We should
 |make sure that's changed.

I will be interesting also to add a link or copy verbatim (with author
permission) in README.Debian, the poisson pill
of this protocol, see for instance
http://www.mercenary.net/blog/index.php?/archives/42-HOWTO-WPAD.html
and some explanation about (in)security of wpad.

Regards

Bastien


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org