|
Message-ID: <20230504235603.SFmyd%steffen@sdaoden.eu> Date: Fri, 05 May 2023 01:56:03 +0200 From: Steffen Nurpmeso <steffen@...oden.eu> To: "David A. Wheeler" <dwheeler@...eeler.com> Cc: oss-security@...ts.openwall.com Subject: Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler wrote in <C2F1E269-0FD7-45A2-A0E1-F1AC29383C09@...eeler.com>: | |> On May 4, 2023, at 2:23 PM, Rainer Canavan <rainer.canavan@...nga.com> \ |> wrote: |> I'd suspect that the issue in |> HTTP::Tiny would end up DISPUTED, since not validating TLS names is |> not the generally expected behavior, although it is documented (in |> bold no less). | |I would also expect it to be at most disputed, not rejected. |As Jeffry Walton noted, failing to validate a certificate is considered |by many to be a vulnerability, there's even a specific CWE for this case: |https://cwe.mitre.org/data/definitions/295.html | |Per the OP: | |> On Apr 18, 2023, at 11:46 AM, Stig Palmquist <stig@...g.io> wrote: |> ... We have generated a list of over 300 potentially affected |> CPAN distributions. | |A default that potentially causes over 300 other vulnerabilities sounds \ |like |a root cause vulnerability to me. Clearly many users do *not* treat \ |this as expected behavior. |A change of the default would, for many, produce the expected behavior. Unfortunately the moderator rejected my last message. But still i want to say that the package HTTP::Tiny, which has a tremendous list of contributors, made a conscious decision that is noted several times, and lengthily explained, and they have all rights in the world to do so, which would be true even if their findings were false, which they are not. Quite the opposite. Maybe they should change their SYNOPSIS example (it is well received here that there is a complete UNIX manual page locally available, thank you) to my $response = HTTP::Tiny->new( ...it can be assumed people need adjustments.., verify_SSL => HTTP::Tiny::can_ssl() )->get('http://example.com/') or something (though verify_SSL for HTTP could be taken unseriously by nitpicking manual readers). I see more problems with a community which only uses copy+paste from stackoverflow or other such sides, i only wonder, because whenever _i_ try to find something, i only get back pages (if anything) where people are fooled, or where other people "which seem to know" answer in a way that could possibly understood "if one would know", but otherwise one has to look up to an olymp of understanding that one fails to reach oneself. My impression. There also already were security problems by people who plugged together dozens of modules which themselves required dozens of modules, leading to an impenetrable djungle of dependencies and running code. In fact the only plug-in or how is it named that i run with the firefox-bin (somewhat containerized, which btw is a problem with GMail.com and their OAuth 2.0 flow=redirect approach, as the local script which performs authorization "must create a temporary HTTP server" to which the browser redirects, and that must thus run in the same container as the browser, and there you go, my email client must somehow reach into the container where that multi-million-lines-of-code web browser is running, and i can tell you HOW messy that was to get right. Oh, have i already narrated that i got donated a used Android smartphone (i do not buy those myself due to the environmental problems, and the working conditions, .. of the resources, ..BOY I CAN TELL YA.. btw), and i have to turn on microphone and device detection to make a picture with the camera, and HOW complicated it is to get rid of all the rights, and that it takes a LONG time to get back from that screen, so LONG that i tap again, and am two levels above, now is this behaviour so desired, i do not know), anyway, that plug-in is umatrix, and if you look how many scripts, and images, and the scripts and hidden? frames, load more, and more scripts are loaded, that i think that the entire world knows that i am reading that page, from which IP, and i do not know what else. It is understood that getting these data points is a large market in the US, if i recall a Bruce Schneier note correctly. No no. A responsible and conscious programmer must at least look a little bit into the manual of a module or library that she uses, and how good if then there _is_ a good manual, locally, to be read. perl always did a tremendous job regarding this, already before Y2K! This is a good community with helpful people, and someone was even capable to tell me + # We use :encoding to ensure our I/O layer is UTF-8, but that does not help + # for the command line of the audio encode applications we start, since our + # carefully prepared UTF-8 strings will then be converted according to the + # Perl I/O layer for STDOUT! Thus we need to enwrap the open() calls that + # start the audio encoders in utf8_echomode_on() and utf8_echomode_off() + # calls! I have forgotten who gave this working solution on a perl IRC + # channel which i entered via browser on 2013-05-06, i apologise: thank you! + sub utf8_echomode_on {binmode STDOUT, ':encoding(utf8)'} + sub utf8_echomode_off {binmode STDOUT, ':pop'} [Whoever you were, please call up so i can give you credit!! Thanks!!] [Hey moderator! I mean come on, did YOU know that??] Sorry but without wanting to be personally demeaning, screaming "Security vulnerability!" is just territorial pissing and/or self-opinionatedness in this very case. Like i said correctly though context-free in the moderator- rejected email, Where the streets have no name. He. But on the other hand Und Frau Holle, And Mother Hulda (Old Mother Frost), hot gern' die Wolle, likes the wool, vom Dromedar, of the dromedary, aus Afrika. from Africa. This is --- with cojones --- Alf Poier and his song "Weil der Mensch zählt" ("Because [it is] the human [that] counts"). To add to this that already the second sentence is Es sterb'n bald alle Vögel, es sterb'n bald alle Käfer, im Bett da liegt der Adam und vermehrt sie mit der Eva and yes it is true all birds are soon dying, just as will all bugs, and in bed there is Adam, and breeds them with Eve. Having said that, some kind of bugs will not die out, just like "cockroaches behind the tilework" (another moderator-rejected term of his song :-). So to tank over this conscious package decision, that does a very good job for many years, so good it is now included in the perl base, with all this artillery shooting, to hint for slick, obedient, ideologically styled, chin muscle stretching security is nothing but fascism. Having said that, maybe they will now have to change the idea in equal spirit as shown above. I consider this a sad but understandable move. I personally understood their decision, but, like i said, always use and used verify_SSL. One can only hope that the future will bring a replacement for this western centric CA list with something that comes via DNS domain chains, even though this of course has its own problems. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) |~~ |..and in spring, hear David Leonard sing.. | |The black bear, The black bear, |blithely holds his own holds himself at leisure |beating it, up and down tossing over his ups and downs with pleasure |~~ |Farewell, dear collar bear
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.