[Bug 1467716] Re: "gem install" fetches packages from unencrypted HTTP URL
Simon Déziel
1467716 at bugs.launchpad.net
Thu Jun 25 18:31:22 UTC 2015
On 06/23/2015 05:36 AM, Robie Basak wrote:
> I know that years ago "gem install" was horribly insecure, but I believe
> this has been improved upstream? So is this a bug in Ubuntu's packaging,
> or is it that it is fixed in a newer upstream (and/or Ubuntu) release,
> or is what you're reporting still a problem upstream?
I'm unsure about where the problem originate. I've only tested this on
Ubuntu Trusty.
> I'll also note that using unencrypted HTTP isn't necessarily "insecure".
> Cryptographic verification can be done using digital signatures outside
> the transport protocol (for example apt does this), which is arguably
> more secure because it protects data at rest as well as in transit. For
> example, even if an apt mirror is compromised the signatures and thus
> package contents cannot be since the apt repository private signing keys
> aren't held on any mirror.
You are right. In this specific case, the files are not
cryptographically signed as shown when asking for signature validation [1]:
# gem install bundler -P HighSecurity
Fetching: bundler-1.10.5.gem (100%)
ERROR: While executing gem ... (Gem::Exception)
Unsigned gem
> Finally, HTTPS doesn't necessarily protect privacy for software
> repositories either, as any attacker who could compromise your HTTP
> download can also observe the size and timing of your HTTPS downloads
> and thus often be able to guess what packages you downloaded from a
> repository that is already public.
>
> So it would be useful if you could please clarify exactly what you mean
> by "insecure",
I must admit that saying that HTTP is "insecure" is overly broad. My
main concern was MITM attacks. I agree with you that HTTPS alone isn't a
silver bullet but it would still be an improvement security-wise.
> and what needs to be fixed in Ubuntu as opposed to what
> is available in a newer release and what needs fixing upstream.
Having gem always use the HTTPS URL to rubygems.org would be sufficient
to at least prevent MITM attacks. A quick look at the upstream git tree
showed that they use the HTTPS scheme to reach rubygems.org.
Regards,
Simon
1: http://guides.rubygems.org/security/#using-gems
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ruby1.9.1 in Ubuntu.
https://bugs.launchpad.net/bugs/1467716
Title:
"gem install" fetches packages from unencrypted HTTP URL
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ruby1.9.1/+bug/1467716/+subscriptions
More information about the Ubuntu-server-bugs
mailing list