Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 20 Apr 2023 14:56:45 +0200
From: Steffen Nurpmeso <steffen@...oden.eu>
To: oss-security@...ts.openwall.com
Subject: Re: Perl's HTTP::Tiny has insecure TLS cert
 default, affecting CPAN.pm and other modules

Hanno Böck wrote in
 <20230420073459.003a5be2.hanno@...eck.de>:
 |On Wed, 19 Apr 2023 23:53:40 +0200
 |Steffen Nurpmeso <steffen@...oden.eu> wrote:
 |> IMO it is no vulnerability at all since it has "always" been _very
 |> clearly_ (even very lengthily) documented in the manual page.
 |
 |A vulnerability does not go away if it's documented, and I find that a
 |rather strange take.

Hm no, i do not, the latter not at all.  You can bundle a OpenPGP
/ signify / even OpenSSL signature with something and can get
secure download even over non-encrypted channels.  Even DNSSEC was
over unencrypted channels for twenty years, and still mostly is,
so, .. that i say that one day, _that_ is strange.
I mean, i do not want to start useless and fruitless discussions,
and it will be treated as a bug in HTTP::Tiny no matter what
i say, hysteria is king.

 |Also I think this discussion was had many times before, as plenty of
 |libraries in other language ecosystems defaulted to not checking certs
 |or doing incomplete checks, and over time they all defaulted to the
 |sane thing: To make the secure setting the default.
 |The fact that apparently noone has ever checked this for a major perl
 |library (I mean - CPAN itself, the package manager, is affected) is
 |quite telling tbh.

There i agree with you.  Now OpenSSL is very likely there, and in
appropriate versions, and a usable CA might even be available also
when HTTP::Tiny goes.  Having said that, i think in NetBSD they
struggle with whether they should install a complete CA by
default, even though some may not need / want it (whatever else
reason in their long discussions appeared), i think it is in
pkgsrc only for now.  Btw, the Mozilla CA contains _only_ entries
i fully and completely trust; especially so after the state of the
Netherlands left before Christmas last year.  No.  (And no mission
here, and no nagging requirement to make money from it, either.)

(P.S.: about thirty years ago i got a handwritten letter of
appreciation from a Dutch official, who overwhelmingly thanked me
for paying a ticket i got when we were there.  So much they
appreciated honest Germans by then!)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.