[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#27437: Source downloader accepts X.509 certificate for incorrect dom

From: Leo Famulari
Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain
Date: Thu, 22 Jun 2017 00:09:01 -0400
User-agent: Mutt/1.8.3 (2017-05-23)

On Wed, Jun 21, 2017 at 12:50:15PM +0200, Ludovic Courtès wrote:
> Leo Famulari <address@hidden> skribis:
> > While working on some package updates, I found that the source code
> > downloader will accept an X.509 certificate for an incorrect site.


> IOW, since we’re checking the integrity of the tarball anyway, and we
> assume developers checked its authenticity when writing the recipe, then
> who cares whether downloads.xiph.org has a valid certificate?
> Does it make sense?

Yeah, I think it makes sense if checking the certificates would add too
much complexity for what I think is a minor benefit: protecting against
exploitation of bugs by MITM (but not xiph.org) in whatever code runs
after the connection is initiated and before the hash is calculated.

Perhaps a MITM could send a huge file and fill up the disk or something
like that.

Closing the bug, but more thoughts are welcome!

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]