Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Installation instructions contain bad security habits #76

Closed
sarciszewski opened this issue Oct 28, 2014 · 14 comments

Comments

@sarciszewski
Copy link

commented Oct 28, 2014

curl https | php needs to go. This was previously reported over a year ago in #41 and nobody has taken action.

This is what you need to do:

  1. Generate an RSA/DSA/Ed25519/whatever asymmetric key pair.
  2. Keep your private key safe.
  3. Sign your installer.
  4. Publish your public key.
  5. Publish amended install instructions that verify the signature before any code is run.

Then continue to verify the .phar from within the installer.

Not exactly rocket science, and not a low priority that you can really afford to keep sweeping under the rug while running off to conferences to drink beer and make lots of money while pushing an insecure solution.

@Seldaek

This comment has been minimized.

Copy link
Member

commented Dec 2, 2014

  1. I agree on the content and I hope I'll find time to do this someday.
  2. Getting angry is not so useful, please keep the attitude in check.
  3. Sorry for taking some time off opensource to sometimes try to have fun, a social life, actually work to get some money, and then maybe avoid burning out completely and shutting the project because why the hell am I even bothering?
  4. Making lots of money? Where how when? I wish I knew. So far this whole thing has been a huge money sink for me, I could make a lot more contracting than working on opensource or even toranproxy if that's what you are referring to. I continue because I feel some responsibility, but when I read such comments it does not really motivate me to keep going.
@sarciszewski

This comment has been minimized.

Copy link
Author

commented Dec 2, 2014

  1. I agree on the content and I hope I'll find time to do this someday.

I made a pull request to do the ground work previously. All you have to do is one of the two:

  1. Create a key pair, publish a public key.
  2. Appoint someone else that you trust to do it for you.

It's not hard. I can and will do the rest of the work, but it matters for very little if it's MY public key that it trusts and not yours.

@stof

This comment has been minimized.

Copy link
Contributor

commented Dec 2, 2014

I made a pull request to do the ground work previously

Your PR only does a small part of the work. composer self-update and the composer installer script are not checking the PGP signature when downloading, which is where a bunch of work is required

@sarciszewski

This comment has been minimized.

Copy link
Author

commented Dec 2, 2014

Your PR only does a small part of the work.

Right. And if someone published a PGP or RSA public key that would be used for signing, I would take it as a good faith gesture and find time to complete it. That hasn't happened yet.

Quoting myself:

I can and will do the rest of the work

@sarciszewski sarciszewski changed the title Horrendously Stupid and Ill-Advised Install Instructions Installation instructions contain bad security habits Dec 2, 2014

@johnhunt

This comment has been minimized.

Copy link

commented Jan 9, 2015

+1 it's a shame sarciszewski is being ignored. Composer really needs this.

@jrobeson

This comment has been minimized.

Copy link

commented Jan 9, 2015

@sarciszewski : so how does one generate this key? maybe publishing a quick howto, so they just simply have to run a few commands to get the right key going.

@padraic

This comment has been minimized.

Copy link
Contributor

commented Mar 1, 2015

All, see my comment at #77

This should be pretty much everything that is required, and I now have it sitting in two independent packages I'll have finalised tomorrow. TLS support is reduced to one function. Self updating support is reduced to several methods. I honestly cannot make it any easier.

@sarciszewski

This comment has been minimized.

Copy link
Author

commented Apr 5, 2015

@sarciszewski : so how does one generate this key? maybe publishing a quick howto, so they just simply have to run a few commands to get the right key going.

@BenCollver

This comment has been minimized.

Copy link

commented Oct 9, 2015

In the meanwhile, one could compare the file hash to the one published on slackbuilds.org.

http://slackbuilds.org/repository/14.1/development/composer/

@paragonie-scott

This comment has been minimized.

Copy link

commented Oct 9, 2015

The utility of a hash is very limited; what you want is a digital signature.

https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded

@BenCollver

This comment has been minimized.

Copy link

commented Oct 10, 2015

With a hash you can verify integrity and authenticity [1]. A hash is one of the components of a digital signature [2]. Though a signature is better, a hash is what we have available today (vs. no verification at all.)

[1]
https://en.wikipedia.org/wiki/File_verification#Integrity_verification

[2]
https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Digital_signatures

@paragonie-scott

This comment has been minimized.

Copy link

commented Oct 10, 2015

With a hash you can verify integrity and authenticity [1].

Only if you include asymmetric-key cryptography of some sort, at which point you've just reinvented a digital signature.

A hash is one of the components of a digital signature [2].

I'm well aware.

For example, Ed25519 is a Schnorr digital signature scheme over an elliptic curve field that works by taking SHA512 of a message, splitting it in half, then using one half in place of a nonce and the other is used with the secret key to create a long digest that can be verified with the public key.

It probably wouldn't work without a 512-bit hash function.

But that doesn't mean that an SHA-512 hash is the same thing as an EdDSA signature. In most cases, verifying checksums from MD5, SHA1, etc. is little more than security theater.

@alcohol

This comment has been minimized.

Copy link
Member

commented Oct 12, 2015

I can generate GPG signatures for the alpha releases if that would make people happy. It's a bit more secure than a md5/sha checksum.

@Seldaek

This comment has been minimized.

Copy link
Member

commented Apr 21, 2016

Oh this is still open.

@Seldaek Seldaek closed this Apr 21, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
9 participants
You can’t perform that action at this time.