Hi, A while ago I noted that the FSF has made an evaluation of code hosting services and Savannah got rated as an A. I found that irritating, because based on my experience savannah has some severe security issues - which gave me the impression that the FSF only cares about free code (on which I agree) and not other issues, which I find worrying.
I now checked this in more detail and saw that the criteria contains actually something that indicates this is not the case: "Support HTTPS properly and securely, including the site's certificates. (C6)" If I understand this correctly a "C" criteria must be met by all sites getting C or any higher rating. While this criterion is not very specific, I'd argue that savannah doesn't fullfil it for various reasons. *The savannah webpage itself* If you surf to the savannah webpage it is served over http unless you explicitly use an https URL. If you click on "login" there is an option "Stay in secure (https) mode after login". This all doesn't make a lot of sense. First of all having security as something optional doesn't make any sense. It's like asking a user: "Do you want attackers to be able to impersonate you and act on your behalf?" Nobody will answer "Yes" to that. But second - more important - it's basically irrelevant, because the login page itself is served over http. Whatever the user selects there is already under full control of a potential attacker. Even though the login data usually is sent over https, this can easily be changed by an attacker with an ssl stripping attack. *The code repositories* Now all of the above can be aleviated a bit if a user carefully uses https all the time manually or uses a plugin like https everywhere. But even more worrying is that there is no way to access the savannah git repositories in a secure way for anonymous users. If you look at a repository site like this: http://savannah.gnu.org/git/?group=patch There are two ways to clone the repo: Over the git:// protocol, which is plaintext and insecure, and over ssh, which is only available if you have a savannah account and are a member of that project. Therefore for all people that are not part of a project there is no secure way of getting the git code. I think for these two reasons one cannot argue that savannah supports HTTPS "properly and securely". I don't know if people operating savannah read this, but I'd recommend these changes: * Remove the nonsensical login option and make security the default. * Redirect all http queries to https. * Set an HSTS header to avoid accidental http access. * Create an anonymous git checkout option over HTTPS. Until these issues have been resolved I think savannah should no longer be called an ethical code hosting option. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
pgpbay7w2MwT8.pgp
Description: OpenPGP digital signature