repo-criteria-discuss
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Repo-criteria-discuss] Savannah and HTTPS


From: Hanno Böck
Subject: [Repo-criteria-discuss] Savannah and HTTPS
Date: Mon, 19 Sep 2016 12:30:03 +0200

Hi,

A while ago I noted that the FSF has made an evaluation of code hosting
services and Savannah got rated as an A. I found that irritating,
because based on my experience savannah has some severe security
issues - which gave me the impression that the FSF only cares about
free code (on which I agree) and not other issues, which I find
worrying.

I now checked this in more detail and saw that the criteria contains
actually something that indicates this is not the case:
"Support HTTPS properly and securely, including the site's
certificates. (C6)"

If I understand this correctly a "C" criteria must be met by all sites
getting C or any higher rating. While this criterion is not very
specific, I'd argue that savannah doesn't fullfil it for various
reasons.

*The savannah webpage itself*

If you surf to the savannah webpage it is served over http unless you
explicitly use an https URL. If you click on "login" there is an option
"Stay in secure (https) mode after login". This all doesn't make a lot
of sense.

First of all having security as something optional doesn't make any
sense. It's like asking a user: "Do you want attackers to be able to
impersonate you and act on your behalf?" Nobody will answer "Yes" to
that.
But second - more important - it's basically irrelevant, because the
login page itself is served over http. Whatever the user selects there
is already under full control of a potential attacker. Even though the
login data usually is sent over https, this can easily be changed by an
attacker with an ssl stripping attack.

*The code repositories*

Now all of the above can be aleviated a bit if a user carefully uses
https all the time manually or uses a plugin like https everywhere. But
even more worrying is that there is no way to access the savannah git
repositories in a secure way for anonymous users.

If you look at a repository site like this:
http://savannah.gnu.org/git/?group=patch

There are two ways to clone the repo: Over the git:// protocol, which
is plaintext and insecure, and over ssh, which is only available if you
have a savannah account and are a member of that project. Therefore for
all people that are not part of a project there is no secure way of
getting the git code.



I think for these two reasons one cannot argue that savannah supports
HTTPS "properly and securely".

I don't know if people operating savannah read this, but I'd recommend
these changes:
* Remove the nonsensical login option and make security the default.
* Redirect all http queries to https.
* Set an HSTS header to avoid accidental http access.
* Create an anonymous git checkout option over HTTPS.

Until these issues have been resolved I think savannah should no longer
be called an ethical code hosting option.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: address@hidden
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Attachment: pgp9fwQ6WTSM3.pgp
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]