Page MenuHomePhabricator

Packages server and downloads should be available via HTTPS
In progress, LowPublicFEATURE REQUEST

Description

Original issue filed by @beamerblvd on 2015-04-25 in Bugzilla, copied here because it still has not been responded to and is still an issue:

VyOS is often installed on security-critical firewall hardware. Offering HTTP-only packages and HTTP-only downloads presents a security vulnerability. To that end:

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Comment by @beamerblvd on 2016-01-24:

Please? HTTP downloads are not suitable to use on security-critical hardware.

syncer moved this task from Need Triage to Backlog on the VyOS 1.1.x board.Oct 11 2017, 7:59 PM
syncer assigned this task to dmbaturin.Oct 11 2017, 8:54 PM
syncer edited projects, added Infrastructure; removed VyOS 2.0.x, VyOS 1.1.x, VyOS 1.2.x.
syncer added a subscriber: syncer.

Should we just add letsencrypt ?

In T422#8426, @syncer wrote:

Should we just add letsencrypt ?

Seems appropriate to me.

On a slightly-related note, I was using the VyOS forums today, and trying to quote a message in my reply, but it wouldn't work. I looked at the JavaScript console and it's full of errors about non-secure JS and CSS resources' being requested from a secure page, and Chrome blocking them as a result. Seems like we've got some mixed content problems going on in the forums.

cwadge added a subscriber: cwadge.Dec 19 2017, 7:56 PM

This begs the question about the mirror mechanism. My mirror supports TLS, but most don't.

syncer changed the task status from Open to In progress.Dec 19 2017, 7:57 PM

We should probably put in the mirror documentation that new mirrors must support TLS and existing mirrors are strongly urged to add support for TLS. However, to be clear, wanting a secure source for my downloads, I won't download from a mirror, because there's a lower level of trust. In fact, given a mirror with TLS and a the master source without TLS, I would chose the master source every time.

If you can at least get a strong hash sum of the ISO from the master, that should be sufficient regardless of where the binary is downloaded from. Of course, if the master is compromised, all bets are off.

That's true, I would use a TLS mirror with a SHA-256 hash from the master. But I'd also want the master to be TLS.

It will be sooner or later ;)

Awesome. :) Let me know if you ever need an extra pair of hands on the infrastructure front.

syncer triaged this task as Low priority.Dec 19 2017, 9:23 PM

The downloads.vyos.io is now using mandatory HTTPS. On the dev.packages.vyos.net, HTTPS is optional. To declare this closed, we need someone to independently verify that ISO build works with HTTPS for them.