savannah-hackers-public
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

From: Mike Gerwitz
Subject: Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS
Date: Fri, 07 Oct 2016 22:16:55 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) 
Richard:

A couple people have raised concerns about Savannah and whether it meets
criteria C6, which states: "Support HTTPS properly and securely,
including the site's certificates."

I'm not entirely sure how to intended "properly and securely" to be
interpreted, but from a security standpoint, there are legitimate
issues.

I quoted the e-mail in full below.  The solution to the problems are:

  - Modify the webserver configuration to send an HTTP header ("HSTS")
    with HTTP responses that tells the client never to attempt non-HTTPS
    connections;
  - Redirect all traffic to :443 (HTTPS);
  - Rewrite all URLs on webpages to use https; and
  - All of the above for git.savannah.{non,}gnu.org.

I sent these to the Savannah hackers.  Understandably, they're in need
of help.  I forwarded the links they sent me to repo-criteria-discuss@
so that others can look into how to volunteer and understand the state
of things.

Currently, they are migrating to new VMs provided by the FSF and would
like to make changes there.  Changes to git.savannah.gnu.org to support
repositories over HTTPS isn't something they say they can do on the old
hardware with limited resources.

I have two questions for you:

  - Given the issues below, do you consider Savannah to implement HTTPS
    "properly and securely"?

  - Changes to the first three items above could conceivably be made to
    the existing servers until migration is complete; otherwise they'll
    have to wait, which might be a while (I don't know how
    long).  Should precedence be given to resolving the first three
    issues on the current servers?

Please let me know your thoughts on how we should proceed.


On Mon, Sep 19, 2016 at 12:30:03 +0200, Hanno Böck wrote:
> Hi,
>
> A while ago I noted that the FSF has made an evaluation of code hosting
> services and Savannah got rated as an A. I found that irritating,
> because based on my experience savannah has some severe security
> issues - which gave me the impression that the FSF only cares about
> free code (on which I agree) and not other issues, which I find
> worrying.
>
> I now checked this in more detail and saw that the criteria contains
> actually something that indicates this is not the case:
> "Support HTTPS properly and securely, including the site's
> certificates. (C6)"
>
> If I understand this correctly a "C" criteria must be met by all sites
> getting C or any higher rating. While this criterion is not very
> specific, I'd argue that savannah doesn't fullfil it for various
> reasons.
>
> *The savannah webpage itself*
>
> If you surf to the savannah webpage it is served over http unless you
> explicitly use an https URL. If you click on "login" there is an option
> "Stay in secure (https) mode after login". This all doesn't make a lot
> of sense.
>
> First of all having security as something optional doesn't make any
> sense. It's like asking a user: "Do you want attackers to be able to
> impersonate you and act on your behalf?" Nobody will answer "Yes" to
> that.
> But second - more important - it's basically irrelevant, because the
> login page itself is served over http. Whatever the user selects there
> is already under full control of a potential attacker. Even though the
> login data usually is sent over https, this can easily be changed by an
> attacker with an ssl stripping attack.
>
> *The code repositories*
>
> Now all of the above can be aleviated a bit if a user carefully uses
> https all the time manually or uses a plugin like https everywhere. But
> even more worrying is that there is no way to access the savannah git
> repositories in a secure way for anonymous users.
>
> If you look at a repository site like this:
> http://savannah.gnu.org/git/?group=patch
>
> There are two ways to clone the repo: Over the git:// protocol, which
> is plaintext and insecure, and over ssh, which is only available if you
> have a savannah account and are a member of that project. Therefore for
> all people that are not part of a project there is no secure way of
> getting the git code.
>
>
>
> I think for these two reasons one cannot argue that savannah supports
> HTTPS "properly and securely".
>
> I don't know if people operating savannah read this, but I'd recommend
> these changes:
> * Remove the nonsensical login option and make security the default.
> * Redirect all http queries to https.
> * Set an HSTS header to avoid accidental http access.
> * Create an anonymous git checkout option over HTTPS.
>
> Until these issues have been resolved I think savannah should no longer
> be called an ethical code hosting option.

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: 2217 5B02 E626 BC98 D7C0  C2E5 F22B B815 8EE3 0EAB
https://mikegerwitz.com

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]