Skip to content

httpsource_review

Jump to bottom
Cedric BAIL edited this page Dec 2, 2022 · 4 revisions

HTTPSource

HTTPSource is as of December 2022 the only provided implementation of the Source interface. It expect a very basic remote web repository that contain the executable to upgrade to and a Ed25519 signature file next to it. It check that the time of creation of the signature is more recent than the executable time of creation and will trigger the upgrade if the remote server is presenting a more recent signature. The download will start in the background and once done, the signature for the binary will be checked. If it pass, the process to do the update will be able to continue and replace the executable on disk.

sequenceDiagram
   participant Client
   participant Server
   loop At regular interval
       Client-->>+Server: Get executable.ed25519
       Server-->>-Client: Serve signature back
       Note over Client,Server: If signature is more<br/>recent than executable
       Client-->>+Server: Get executable
       Server-->>-Client: Serve executable
       Client-->>Client: Check executable<br/>against signature
       Client-->>Client: Update file if<br/>executable checks ok
   end
Loading

This scheme is really simple and the tooling for deploying it are easy to use, but it is important to understand that there is a few limitation to it:

  • The information regarding the signature date of creation is not signed as it rely on http to serve it. This means that if someone control the network used to do the update, it is possible to trigger an update toward an older version which could be used to get the user to install an executable with a known vulnerability.
  • If the private key is compromised, there is no upgrade path without using that private key one last time for signing an executable that switch to a new one and that file must be kept available for as long as you wish to support old clients transitioning to the new key.
  • If the private key is lost, there is no more upgrade possible without manual intervention on the client that have been installed.
  • It is not possible to serve binary diff with this method.

For all this reason, it would be interesting to implement a TUFSource with maybe a double public key/private key schema in place. The issue #16 has been created to track the effort to address the limitation described in this article.

Clone this wiki locally