Re: How to contact www.gwtproject.org Website?

[Thomas Broyer]

On Tuesday, July 11, 2017 at 12:42:19 PM UTC+2, salk31 wrote:
>
> I think Bob has a point. I don't think HTTPS helps that much. Isn't the 
> issue that somebody could generate a new binary that has a SHA1 that 
> matches the real binary?
>

Yes, but if you download the SDK through HTTPS, you know the file you 
receive is the one you expect.

It'd be much easier I believe to intercept traffic to gwtproject.org (which 
doesn't use HTTPS, yet [1]; I'm sure it'll be the case as soon as Google 
provides free certificates, or someone takes the time to automated it with 
Let's Encrypt, or gives some money to buy a certificate and commits to 
renew it as needed) to serve different URLs and checksums, than to craft a 
SHA1 collision.

I'd also strongly suggest people grab the JARs from the Central Repository. 
I mean, even people using build tools without so-called "managed 
dependencies" do it rather than downloading the SDK [2] (you'll notice that 
Bazel, the build tool from Google, uses SHA1 too with no stronger option 
[3], same for Maven BTW). I, for one, don't even understand why we're still 
providing those binaries, but that's another debate.

Note again that I'm not dismissing the request to change to SHA-256 (Bazel 
binaries are downloaded through HTTPS, from a page in HTTPS, and provide 
SHA-256 checksums [4]; this is definitely what we should aim for; iff we 
keep providing those binaries for GWT), I'm only pondering the criticality 
of the vulnerability. And again, as long as the website (at a minimum the 
webpage with the download links and checksums) is not served with HTTPS, 
it's useless to argue SHA-1 vs SHA-256.

If you're really serious about security, there are other priorities (and in 
the mean time, you can still compile from sources).

[1] https://github.com/gwtproject/gwt-site/issues/210
[2] https://gerrit.googlesource.com/gerrit/+/stable-2.14/WORKSPACE#103
[3] https://docs.bazel.build/versions/master/be/workspace.html#maven_jar.sha1
[4] https://github.com/bazelbuild/bazel/releases

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

Re: How to contact www.gwtproject.org Website?

[Paul Robinson]

I'm not a security expert either, but doesn't https stop a
man-in-the-middle attack?

So the only way to cause you to download the wrong thing is to compromise
gwtproject.org, in which case they could just put the sha1 for their
altered file on there. That's much easier than creating an alternative
download with the same sha1 as the original file.

Paul

On 11 Jul 2017 11:42 am, "salk31"  wrote:

> I think Bob has a point. I don't think HTTPS helps that much. Isn't the
> issue that somebody could generate a new binary that has a SHA1 that
> matches the real binary?
>
>
> On Wednesday, July 5, 2017 at 10:30:24 PM UTC+1, Thomas Broyer wrote:
>>
>> This is not wrong, but not a real vulnerability either I believe, if only
>> because, to begin with, downloads are made through HTTPS.
>> (Don't take my words for granted though, I'm not a security expert)
>>
>> Wrt your first question, have a look at http://www.gwtproject.org/maki
>> nggwtbetter.html
>> You could post to the GWT Contributors group, or file an issue on
>> gwtproject/gwt.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "GWT Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to google-web-toolkit+unsubscr...@googlegroups.com.
> To post to this group, send email to google-web-toolkit@googlegroups.com.
> Visit this group at https://groups.google.com/group/google-web-toolkit.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

Re: How to contact www.gwtproject.org Website?

[salk31]

I think Bob has a point. I don't think HTTPS helps that much. Isn't the 
issue that somebody could generate a new binary that has a SHA1 that 
matches the real binary?


On Wednesday, July 5, 2017 at 10:30:24 PM UTC+1, Thomas Broyer wrote:
>
> This is not wrong, but not a real vulnerability either I believe, if only 
> because, to begin with, downloads are made through HTTPS.
> (Don't take my words for granted though, I'm not a security expert)
>
> Wrt your first question, have a look at 
> http://www.gwtproject.org/makinggwtbetter.html
> You could post to the GWT Contributors group, or file an issue on 
> gwtproject/gwt.
>

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

How to contact www.gwtproject.org Website?

[Thomas Broyer]

This is not wrong, but not a real vulnerability either I believe, if only 
because, to begin with, downloads are made through HTTPS.
(Don't take my words for granted though, I'm not a security expert)

Wrt your first question, have a look at 
http://www.gwtproject.org/makinggwtbetter.html
You could post to the GWT Contributors group, or file an issue on 
gwtproject/gwt.

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

How to contact www.gwtproject.org Website?

[bobbitdiddle]

I looked all over that website, but either there's no contact option or 
it's hidden very well.  How do I send feedback about a problem with the 
website?

I noticed that they provide SHA1 sums for the GWT downloads, but that's 
strange because Google itself reported that SHA1 is vulnerable
https://fossbytes.com/google-broke-sha-1-encryption-hash/
https://arstechnica.com/security/2012/10/sha1-crypto-algorithm-could-fall-by-2018/
 


GWT, as well as everyone else on the web, should be using SHA256/512, not 
SHA1.

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.