Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scripts seem to be downloaded insecurely #253

Closed
8573 opened this Issue Nov 11, 2014 · 13 comments

Comments

Projects
None yet
3 participants
@8573
Copy link

8573 commented Nov 11, 2014

The /script command appeared to download the scripts and the index of
scripts via unsecured HTTP, which would seem to be a security risk, unless
there is some subsequent cryptographic verification of the downloaded data.

Three potential solutions I see are:

@Mikaela

This comment has been minimized.

Copy link
Contributor

Mikaela commented Nov 11, 2014

I suppose the script index would need to be uploaded to GitHub, perhaps
with GitHub’s “releases” feature.

I am not fully sure about releases feature as it uses git tags which again are more like for single project instead of around hundred scripts.

Upgrading weechat.org to HTTPS, perhaps with a free certificate from
GlobalSign: https://www.globalsign.com/ssl/ssl-open-source/.
This would also cover the packages that are offered for download from
http://weechat.org.

Alternatively CloudFlare gives free certificates when you use their protection.

@8573

This comment has been minimized.

Copy link
Author

8573 commented Nov 11, 2014

Alternatively CloudFlare gives free certificates when you use their
protection.

Unless weechat.org is upgraded to support HTTPS anyway, wouldn’t the
weechat.org ↔ CloudFlare connection not be (significantly) more secure
than weechat.org ↔ end-user connections are now?

@Mikaela

This comment has been minimized.

Copy link
Contributor

Mikaela commented Nov 11, 2014

Unless weechat.org is upgraded to support HTTPS anyway, wouldn’t the
weechat.org ↔ CloudFlare connection not be (significantly) more secure
than weechat.org ↔ end-user connections are now?

CloudFlare doesn't care about self signed certificates, most of users probably do.

@8573

This comment has been minimized.

Copy link
Author

8573 commented Nov 11, 2014

CloudFlare doesn't care about self signed certificates, most of users
probably do.

https://www.cloudflare.com/ssl implies that CloudFlare provides no way
to have it validate a self-signed certificate (e.g., by giving
CloudFlare the certificate’s fingerprint in some administrative
interface):

Full SSL: […] CloudFlare will not attempt to validate the certificate
(certificates may be self-signed).

While CloudFlare’s “Full SSL” option would provide encryption of the
connection, it seems to me that only the “Full SSL (strict)” option,
applied in combination with a certificate from a generally-recognized
authority, would provide authentication of the connection;
authentication of the connection being my concern.

@flashcode

This comment has been minimized.

Copy link
Member

flashcode commented Nov 11, 2014

It's planned to upgrade weechat.org to HTTPS (when I'll have some time, or any help is welcome, since the site is open-source).

@flashcode

This comment has been minimized.

Copy link
Member

flashcode commented Nov 15, 2014

Site weechat.org has been upgraded to HTTPS (the HTTP is still working).
I'll then check how to enable HTTPS by default in script plugin (for download of scripts index and scripts themselves). I'll even try to force existing users to switch to HTTPS by defaut (automatically).

@Mikaela

This comment has been minimized.

Copy link
Contributor

Mikaela commented Nov 15, 2014

HSTS?

@flashcode

This comment has been minimized.

Copy link
Member

flashcode commented Nov 15, 2014

For now I don't plan to disable HTTP, to stay compatible with existing script plugin (or old releases), which uses HTTP by default.
In far future, HTTP could be disabled on weechat.org.

@8573

This comment has been minimized.

Copy link
Author

8573 commented Nov 15, 2014

That was quick. Thanks!

I don’t believe using HSTS would entail disabling unsecured HTTP
server-side.

@flashcode

This comment has been minimized.

Copy link
Member

flashcode commented Nov 15, 2014

The fix is only on weechat.org now, I'll update script plugin to force HTTPS soon (and then I'll close this issue once done).

@Mikaela

This comment has been minimized.

Copy link
Contributor

Mikaela commented Nov 15, 2014

I would say

I don’t believe using HSTS would entail disabling unsecured HTTP

but it was already said and you can give same content on both HTTP and HTTPS if something doesn't use HTTPS even if there is HSTS.

@flashcode

This comment has been minimized.

Copy link
Member

flashcode commented Nov 15, 2014

OK, I misunderstood what HSTS was.
It is now enabled on weechat.org.

@flashcode flashcode added this to the 1.1 milestone Nov 15, 2014

@flashcode flashcode self-assigned this Nov 15, 2014

@flashcode flashcode closed this in 786999b Nov 15, 2014

flashcode added a commit that referenced this issue Apr 23, 2017

script: remove option script.scripts.url_force_https, use HTTPS by de…
…fault in option script.scripts.url (issue #253)
@flashcode

This comment has been minimized.

Copy link
Member

flashcode commented Apr 23, 2017

The option script.scripts.url_force_https has been removed because now weechat.org is HTTPS only (there's an automatic redirection from HTTP to HTTPS).
The default value for option script.scripts.url is now using HTTPS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.