Pretty much anybody can host a download mirror by sending Harald an email, so requiring https to download files doesn't mean much.
On Wednesday, October 25, 2017 at 6:32:26 PM UTC+2, William wrote: > > > On Wed, Oct 25, 2017 at 9:12 AM Emmanuel Charpentier < > [email protected] <javascript:>> wrote: > >> During the [discussion]( >> https://groups.google.com/d/msg/sage-devel/fE45025Wphs/mKdCAeNhAgAJ) of >> the inclusion of OpenSSL, a few remarks were mafdeabout the security of our >> distribution infrastructure. >> >> >> It has been noted that http is ridiculously easy to hijack >> <https://groups.google.com/d/msg/sage-devel/fE45025Wphs/3dfTByrIAQAJ>, >> and some have remarked >> <https://groups.google.com/d/msg/sage-devel/fE45025Wphs/FheYtjBWAAAJ> >> that this potential threat also applied to the http downloads from our >> mirrors. >> >> *I think we should consider this issue, an plan to post (Real Soon Now) a >> call for discussion about this.* What is the relevant list ? >> >> Others remarked >> <https://groups.google.com/d/msg/sage-devel/fE45025Wphs/podOAX89AAAJ> >> that a non-SSL-enabled pip, which impedes, for example, downloading from >> Pipy, sort-of enhanced security by suppressing a possible source of attack. >> No comments... >> >> I have a few questions : >> * Would it be difficult/onerous/cumbersome to ask our mirrors to switch >> to https-only service ? >> * Would such a measure significantly lower the possibility of attacks of >> a Sage user/developer machine via "http hijacking" ? >> * what is the likelihood of such an attack ? >> > > I would estimate the likelihood that some Sage users is attacked in this > way at 99.99%. It's probably already happened. Done right it would not be > detected. There are many extremely smart people whose jobs are related to > crypto, and Sage is one of the standard tools of choice for cryptographers, > which makes it a very natural target. If your fulltime job involved > gathering intelligence about cryptanalytic techniques, with bonus points > for anything not publicly known, it's not too much of a stretch to imagine > you might like access to all private files on the computers of cryptography > researchers (e.g., papers/research in progress/private ideas). All it > would take would be one slightly modified "sage -i" to install something on > a sage-user's computer, and you would own all their data. > > It is irresponsible of us (me) to distribute Sage without full > https/openssl support, at a minimum. I really appreciate everybody's help > to resolve this... > > William > > >> >> Your inputs, please... >> >> -- >> Emmanuel Charpentier >> >> -- >> You received this message because you are subscribed to the Google Groups >> "sage-devel" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at https://groups.google.com/group/sage-devel. >> For more options, visit https://groups.google.com/d/optout. >> > -- > -- William Stein > -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
