Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230420125645.md-Zo%steffen@sdaoden.eu>
Date: Thu, 20 Apr 2023 14:56:45 +0200
From: Steffen Nurpmeso <steffen@...oden.eu>
To: oss-security@...ts.openwall.com
Subject: Re: Perl's HTTP::Tiny has insecure TLS cert
 default, affecting CPAN.pm and other modules

Hanno Böck wrote in
 <20230420073459.003a5be2.hanno@...eck.de>:
 |On Wed, 19 Apr 2023 23:53:40 +0200
 |Steffen Nurpmeso <steffen@...oden.eu> wrote:
 |> IMO it is no vulnerability at all since it has "always" been _very
 |> clearly_ (even very lengthily) documented in the manual page.
 |
 |A vulnerability does not go away if it's documented, and I find that a
 |rather strange take.

Hm no, i do not, the latter not at all.  You can bundle a OpenPGP
/ signify / even OpenSSL signature with something and can get
secure download even over non-encrypted channels.  Even DNSSEC was
over unencrypted channels for twenty years, and still mostly is,
so, .. that i say that one day, _that_ is strange.
I mean, i do not want to start useless and fruitless discussions,
and it will be treated as a bug in HTTP::Tiny no matter what
i say, hysteria is king.

 |Also I think this discussion was had many times before, as plenty of
 |libraries in other language ecosystems defaulted to not checking certs
 |or doing incomplete checks, and over time they all defaulted to the
 |sane thing: To make the secure setting the default.
 |The fact that apparently noone has ever checked this for a major perl
 |library (I mean - CPAN itself, the package manager, is affected) is
 |quite telling tbh.

There i agree with you.  Now OpenSSL is very likely there, and in
appropriate versions, and a usable CA might even be available also
when HTTP::Tiny goes.  Having said that, i think in NetBSD they
struggle with whether they should install a complete CA by
default, even though some may not need / want it (whatever else
reason in their long discussions appeared), i think it is in
pkgsrc only for now.  Btw, the Mozilla CA contains _only_ entries
i fully and completely trust; especially so after the state of the
Netherlands left before Christmas last year.  No.  (And no mission
here, and no nagging requirement to make money from it, either.)

(P.S.: about thirty years ago i got a handwritten letter of
appreciation from a Dutch official, who overwhelmingly thanked me
for paying a ticket i got when we were there.  So much they
appreciated honest Germans by then!)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.