| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d4c73203-56ed-820f-82ee-c239d7976d33@al2klimov.de>
Date: Sat, 18 Jul 2020 10:05:38 +0200
From: "Alexander A. Klimov" <grandmaster@...klimov.de>
To: Finn Thain <fthain@...egraphics.com.au>
Cc: geert@...ux-m68k.org, funaho@...ai.org,
linux-m68k@...ts.linux-m68k.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] m68k: Replace HTTP links with HTTPS ones
Am 18.07.20 um 06:25 schrieb Finn Thain:
> On Fri, 17 Jul 2020, Alexander A. Klimov wrote:
>
>> Rationale:
>> Reduces attack surface on kernel devs opening the links for
>> MITM as HTTPS traffic is much harder to manipulate.
>>
>
> Has that actually happened?
I hope no. And with my patch it won't happen.
>
> You still need to fix the chain of trust in all the relevant browsers
> (unless you're planning to ship root certificates with the kernel source).
>
> Even then, developers using "HTTPS Everywhere" or equivalent will not
> benefit from this patch.
>
> And these new links are just as stale as the old ones, so I have to use
> web.archive.org anyway. So this patch achieves practically nothing.
Are they broken? I thought they're just redirecting?
>
>> Deterministic algorithm:
>> For each file:
>> If not .svg:
>
> Are URLs in .svg files not exploitable by MITM attack?
They're boilerplates set by Inkscape.
>
>> For each line:
>> If doesn't contain `\bxmlns\b`:
>
> Are XML parsers not exploitable by MITM attack?
They're boilerplates set by Inkscape.
>
>> For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
>
> Are ftp:// links etc. not exploitable by MITM attack?
>
>> If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`:
I'll add this to my todo list.
>
> Should developers be more concerned about MITM attack or lawsuit?
They're boilerplates we should replace with SPDX headers instead.
>
>> If both the HTTP and HTTPS versions
>> return 200 OK and serve the same content:
>
> ...then you have not been MITM attacked.
... for now.
>
>> Replace HTTP with HTTPS.
>>
>
> Will you also require developers to use DNSSEC?
*Sigh* ... yes, doing everything one nice day is better that doing just
something right now.
But doing just something right now is better that doing nothing at all.
Wait for v5.9-rc1, run...
>
>> Signed-off-by: Alexander A. Klimov <grandmaster@...klimov.de>
>> ---
>> Continuing my work started at 93431e0607e5.
>> See also: git log --oneline '--author=Alexander A. Klimov <grandmaster@...klimov.de>' v5.7..master
... this command and see how many maintainers agree with me.
>>
>> If there are any URLs to be removed completely
>> or at least not (just) HTTPSified:
>> Just clearly say so and I'll *undo my change*.
>> See also: https://lkml.org/lkml/2020/6/27/64
>>
>> If there are any valid, but yet not changed URLs:
>> See: https://lkml.org/lkml/2020/6/26/837
>>
>> If you apply the patch, please let me know.
>>
>>
>> arch/m68k/include/asm/mac_via.h | 4 ++--
>> arch/m68k/mac/config.c | 2 +-
>> arch/m68k/mac/macboing.c | 2 +-
>> 3 files changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/arch/m68k/include/asm/mac_via.h b/arch/m68k/include/asm/mac_via.h
>> index 1149251ea58d..0cbab71f2592 100644
>> --- a/arch/m68k/include/asm/mac_via.h
>> +++ b/arch/m68k/include/asm/mac_via.h
>> @@ -30,7 +30,7 @@
>> * http://www.rs6000.ibm.com/resource/technology/chrpio/via5.mak.html
>> * ftp://ftp.austin.ibm.com/pub/technology/spec/chrp/inwork/CHRP_IORef_1.0.pdf
>> *
>> - * also, http://developer.apple.com/technotes/hw/hw_09.html claims the
>> + * also, https://developer.apple.com/technotes/hw/hw_09.html claims the
>> * following changes for IIfx:
>> * VIA1A_vSccWrReq not available and that VIA1A_vSync has moved to an IOP.
>> * Also, "All of the functionality of VIA2 has been moved to other chips".
>> @@ -178,7 +178,7 @@
>> * on others, 0=disable processor's instruction
>> * and data caches. */
>>
>> -/* Apple sez: http://developer.apple.com/technotes/ov/ov_04.html
>> +/* Apple sez: https://developer.apple.com/technotes/ov/ov_04.html
>> * Another example of a valid function that has no ROM support is the use
>> * of the alternate video page for page-flipping animation. Since there
>> * is no ROM call to flip pages, it is necessary to go play with the
>> diff --git a/arch/m68k/mac/config.c b/arch/m68k/mac/config.c
>> index 5c9f3a2d6538..6f2eb1dcfc0c 100644
>> --- a/arch/m68k/mac/config.c
>> +++ b/arch/m68k/mac/config.c
>> @@ -240,7 +240,7 @@ static struct mac_model mac_data_table[] = {
>> * Weirdified Mac II hardware - all subtly different. Gee thanks
>> * Apple. All these boxes seem to have VIA2 in a different place to
>> * the Mac II (+1A000 rather than +4000)
>> - * CSA: see http://developer.apple.com/technotes/hw/hw_09.html
>> + * CSA: see https://developer.apple.com/technotes/hw/hw_09.html
>> */
>>
>> {
>> diff --git a/arch/m68k/mac/macboing.c b/arch/m68k/mac/macboing.c
>> index 388780797f7d..a904146dc4e6 100644
>> --- a/arch/m68k/mac/macboing.c
>> +++ b/arch/m68k/mac/macboing.c
>> @@ -116,7 +116,7 @@ static void mac_init_asc( void )
>> * support 16-bit stereo output, but only mono input."
>> *
>> * Technical Information Library (TIL) article number 16405.
>> - * http://support.apple.com/kb/TA32601
>> + * https://support.apple.com/kb/TA32601
>> *
>> * --David Kilzer
>> */
>>
Powered by blists - more mailing lists