|
From: | Philip McGrath |
Subject: | Re: Public key pinning in guix? |
Date: | Sat, 8 Jan 2022 11:37:30 -0500 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.1 |
Hi, On 1/7/22 16:24, Maxime Devos wrote:
The purpose is to resist a compromise of the CA system. More concretely, if you now do "guix refresh -u minetest-moreores" then a MITM that compromised a CA cannot secretly replace minetest-moreores with a mod that mines bitcoin for the MITM, or something. Possibly also useful for "guix download", "guix import", "guix lint", "guix build --with-latest=...". A downside is that whenever content.minetest.net changes public keys, the pinned public key in Guix needs to be updated. How often does this happen? I wouldn't now. This could be partially automated with a "./pre-inst-env guix update-the-pinned-keys" script, and there could be an "GUIX_IGNORE_KEY_PINNING=yes" environment variable as escape hatch. WDYT, worth the trouble or not?
This sounds like HTTP Public Key Pinning (HPKP).[1] AIUI, HTTP Public Key Pinning was deprecated, and support has been removed from major browser engines by January 2020.[2][3][4] While it seemed like a good idea for reasons like the ones you list, apparently it not only proved very difficult for site administrators to configure, with severe consequences for mistakes, it also enabled potential ransomware attacks and other bad stuff.[6]
I never followed this feature closely and don't have a strongly-held opinion on the merits, but, if the "web platform" has deprecated this feature---more concretely, if it is Considered Harmful by sysadmins and servers are configured with the expectation that no one does this any more---I don't think it would improve reliability for Guix to unilaterally revive HPKP.
-Philip [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning [2]: https://scotthelme.co.uk/hpkp-is-no-more/[3]: http://web.archive.org/web/20200618234723/https://www.fxsitecompat.dev/en-CA/docs/2019/http-public-key-pinning-is-no-longer-supported/
[4]: https://chromestatus.com/feature/5903385005916160[5]: https://groups.google.com/a/chromium.org/g/blink-dev/c/he9tr7p3rZ8/m/eNMwKPmUBAAJ
[6]: https://scotthelme.co.uk/using-security-features-to-do-bad-things/
[Prev in Thread] | Current Thread | [Next in Thread] |