Re: HTTPS (was: rubygems insecure download (and other problems))

[Donald Stufft <donald () stufft io>]

On Aug 15, 2013, at 2:38 AM, gremlin () gremlin ru wrote:

> On 14-Aug-2013 14:59:12 -0600, Kurt Seifried wrote:
>
> > everyone should be enabling HTTPS where possible,
>
> Very dangerous mistake. HTTPS should be used only for non-anonymous
> access, otherwise plain HTTP is preferred. In any case, let the users
> choose whether they want to use it.

Why would HTTP be preferred? There's practically no downside to
using HTTPS always.

> Compare to FTP vs SCP/SFTP: first is for getting files from anyone
> (into /incoming) and giving files for everyone (from /pub), second
> is for transferring your own files. Obviously, I presume FTP daemon
> to be configured for anonymous-only access.
>
> > intercepting and modifying HTTP is trivial.
>
> Yes. But intercepting and modifying HTTPS requires just an ability
> to issue client-trusted certificates (sufficient for 99% of HTTPS
> applications), so the content signing should always be preferred
> over distributor validation.

Security is always a game of margins. The set of people who can issue
a certificate for a domain they don't own AND are in a position to exploit
a user trying to install something is far smaller than the set of people who
are in a position to exploit a HTTP connection.

Content signing is preferred but that is a much harder problem to solve
in general for a repository like Rubygems than simple using TLS which
is a pretty good approximation.

> -- 
> Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
> GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
> GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail