W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2019

Re: Blocking high-risk non-secure downloads

From: Emily Stark <estark@google.com>
Date: Fri, 12 Apr 2019 19:51:54 -0700
Message-ID: <CAPP_2SbTmbs63op42h=AZPuM5cvxhoMXmfDgX1HfcXg5J1e1Dw@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>, robbat2@gentoo.org
Cc: Emily Stark <estark@google.com>
On Fri, Apr 12, 2019 at 12:46 AM Robin H. Johnson <robbat2@gentoo.org>
wrote:

> (I'm not on the w3 list presently, hopefully this email gets to you
> after my sub is confirmed).
>
> Emily wrote:
> > I would like to hear from developers if they are distributing downloads
> > that they can reasonably SRI but can't move to HTTPS. I know Mike and
> > others have argued vociferously in the past against allowing SRI to
> > substitute for HTTPS...
>
> Hi!
>
> From the Linux distribution front, with a hat of mirroring.
>
> SRI would be trivial to provide for our content, as we already have the
> checksums [1], but we cannot move everything to HTTPS because we don't
> control how the mirrors run their systems :-(.
>
> See Gentoo's mirrors page as an example:
> https://www.gentoo.org/downloads/mirrors/
>
> Many of the mirrors have not yet deployed HTTPS, despite requests to do
> so, or have deployed it in a way that was broken (self-signed certs,
> misconfigured vhosts).
>

Thanks for sharing this example! Do you have any more details about why the
mirrors cannot support proper HTTPS?

Even after seeing this example, I still feel a little iffy about requiring
SRI when we could be requiring HTTPS. The mirrors are going to have to
support HTTPS at some point; if not now, when? Unless we want to accept
that they will always be HTTP, now seems like as good a time as any to
require them to support HTTPS.


>
> We do include sideband signatures for verification:
> https://www.gentoo.org/downloads/signatures/
>
> The above was the general list of mirrors.
> The direct download links are here:
> https://www.gentoo.org/downloads/
>
> All of the links off that page are two formats:
> http://distfiles.gentoo.org/...
> https://bouncer.gentoo.org/...
>
> distfiles.g.o is a GeoDNS rotation that some of the larger mirrors are
> in, specifically without SSL because it would be an untrusted key, as
> those mirrors are run by third parties who are not Gentoo.
>
> Bouncer is a HTTP redirection service, that tries to redirect you to a
> mirror that:
> - is close to you
> - actually has the file you're looking for
> - If requested on HTTPS, only redirects to HTTPS links where possible.
>
> [1] Example checksums file:
> https://gentoo.osuosl.org/releases/amd64/autobuilds/current-stage3-amd64/install-amd64-minimal-20190410T214502Z.iso.DIGESTS.asc
>
> --
> Robin Hugh Johnson
> Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
> E-Mail   : robbat2@gentoo.org
> GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
> GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
>
Received on Saturday, 13 April 2019 02:52:33 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 13 April 2019 02:52:34 UTC