[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#39419: On the use of HTTPS for substitute server
|
From: |
Leo Famulari |
|
Subject: |
bug#39419: On the use of HTTPS for substitute server |
|
Date: |
Wed, 5 Feb 2020 13:39:24 -0500 |
On Wed, Feb 05, 2020 at 11:34:49AM +0100, Damien Cassou wrote:
> "Leo Famulari" <address@hidden> writes:
> > So, someone who could MITM as <https://ci.guix.gnu.org> could use their
> > own X.509 certificate and pretend to be that server.
>
> IIUC, you agree with me that an attacker can't change the content of
> packages but can inspect what a user installs. This seems to contradict
> this paragraph:
>
> > HTTPS is recommended because communications are encrypted; conversely,
> > using HTTP makes all communications visible to an eavesdropper, who
> > could use the information gathered to determine, for instance, whether
> > your system has unpatched security vulnerabilities.
It is somewhat contradictory.
The server that sends your substitutes knows what substitutes you
request, by definition.
How important is that information, and what tradeoffs are we willing to
make to protect it? Guix protects this information from passive
eavesdroppers but not an active MITM.
The real important thing is, what substitutes are you requesting? This
is based on your Guix code, and we do authenticate the server you
request that from (`guix pull`). The next step is to start using
code-signing there. This is a work in progress.
> If you believe the text is good as it is, please just ignore me and
> close the ticket.
Okay, closed. Please let us know if you think the text can be improved.