Ouch ! The security proble so well explained by William turns out to be a much larger "social" problem...
Worth atacking ? -- Emmanuel Charpentier Le mercredi 25 octobre 2017 21:45:37 UTC+2, Volker Braun a écrit : > > Pretty much anybody can host a download mirror by sending Harald an email, > so requiring https to download files doesn't mean much. > > > On Wednesday, October 25, 2017 at 6:32:26 PM UTC+2, William wrote: >> >> >> On Wed, Oct 25, 2017 at 9:12 AM Emmanuel Charpentier < >> [email protected]> wrote: >> >>> During the [discussion]( >>> https://groups.google.com/d/msg/sage-devel/fE45025Wphs/mKdCAeNhAgAJ) of >>> the inclusion of OpenSSL, a few remarks were mafdeabout the security of our >>> distribution infrastructure. >>> >>> >>> It has been noted that http is ridiculously easy to hijack >>> <https://groups.google.com/d/msg/sage-devel/fE45025Wphs/3dfTByrIAQAJ>, >>> and some have remarked >>> <https://groups.google.com/d/msg/sage-devel/fE45025Wphs/FheYtjBWAAAJ> >>> that this potential threat also applied to the http downloads from our >>> mirrors. >>> >>> *I think we should consider this issue, an plan to post (Real Soon Now) >>> a call for discussion about this.* What is the relevant list ? >>> >>> Others remarked >>> <https://groups.google.com/d/msg/sage-devel/fE45025Wphs/podOAX89AAAJ> >>> that a non-SSL-enabled pip, which impedes, for example, downloading from >>> Pipy, sort-of enhanced security by suppressing a possible source of attack. >>> No comments... >>> >>> I have a few questions : >>> * Would it be difficult/onerous/cumbersome to ask our mirrors to switch >>> to https-only service ? >>> * Would such a measure significantly lower the possibility of attacks of >>> a Sage user/developer machine via "http hijacking" ? >>> * what is the likelihood of such an attack ? >>> >> >> I would estimate the likelihood that some Sage users is attacked in this >> way at 99.99%. It's probably already happened. Done right it would not be >> detected. There are many extremely smart people whose jobs are related to >> crypto, and Sage is one of the standard tools of choice for cryptographers, >> which makes it a very natural target. If your fulltime job involved >> gathering intelligence about cryptanalytic techniques, with bonus points >> for anything not publicly known, it's not too much of a stretch to imagine >> you might like access to all private files on the computers of cryptography >> researchers (e.g., papers/research in progress/private ideas). All it >> would take would be one slightly modified "sage -i" to install something on >> a sage-user's computer, and you would own all their data. >> >> It is irresponsible of us (me) to distribute Sage without full >> https/openssl support, at a minimum. I really appreciate everybody's help >> to resolve this... >> >> William >> >> >>> >>> Your inputs, please... >>> >>> -- >>> Emmanuel Charpentier >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "sage-devel" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at https://groups.google.com/group/sage-devel. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> -- William Stein >> > -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
