CPAN Members, Greetings! I was hoping to understand the community's interest and appetite for helping to secure CPAN. I noticed that CPAN out-of-the-box uses FTP or HTTP for module downloads, sets check_sigs to 0 by default, doesn't require Module::Signature or include it in Bundle::CPAN, and that some packages don't have a signed CHECKSUMS file.
This combination of factors mean that users of CPAN are vulnerable to man-in-the-middle attacks by default and broadcast their module activity on the network. Many other popular language repositories (pip, npm, crates, golang, composer) support or enforce the use of HTTPS for downloading third-party code from authoritative sources. This helps to ensure the integrity of downloaded source code and masks network activity. I felt like a reasonable first step would be to see whether current CPAN mirrors already support HTTPS. In surveying mirrors listed in MIRRORED.BY, a majority - 99 of the 192 HTTP mirrors - already correctly support vending CPAN over HTTPS. Huzzah! A further ten vended an outdated and/or self-signed cert (easily enough fixed with LetsEncrypt - I took the liberty of notifying these mirror admins of the misconfiguration), and another 13 vended a valid cert but with the wrong CNAME. (FYI, one mirror didn't even have DNS that resolved and responded to my email that his mirror is permanently offline.) So we're already quite close to a majority of current CPAN mirrors vending on HTTPS. The "hard work" is mostly done! The next thing to do would be to add *dst_https* for these mirrors to MIRRORED.BY and update CPAN.pm to be able to connect to HTTPS repositories and validate server certificates (the hard parts here are already implemented with LWP::Protocol::https and Mozilla::CA). Over time it would seem sensible to *prefer* HTTPS when available and then at a later time make HTTPS *required* by default so CPAN users can out-of-the-box have some mild assurance they're downloading the software they think they're downloading. I've written up some thoughts and the details of such a plan at: https://docs.google.com/document/d/1DRkiCJhJu4RDI0u_JppBpFa0djouskxEyNHax912U_w/edit# and would *really appreciate input and comments*. I also have an embarrassingly broken, untested, and incomplete pull request at https://github.com/andk/cpanpm/pull/119 but before further embarking on polishing the PR I wanted to ask whether this is something the community is interested in / has thought about / others have already made progress on? Cheers, David E. Weekly (@dweekly)
