#nixos-security on 2019-04-20

00:38 galaxie has quit [Ping timeout: 256 seconds]

13:08 galaxie has joined #nixos-security

16:40 <pie_> gchristensen, watching your vuln roundup n + 1 talk, thanks for working on this stuff

16:40 <pie_> and everybody else too!

16:41 <gchristensen> woot1

18:08 pie_ has quit [Remote host closed the connection]

18:09 pie_ has joined #nixos-security

18:13 pie_ has quit [Ping timeout: 252 seconds]

20:13 pie_ has joined #nixos-security

21:51 book` has quit [Quit: Leaving]

21:51 ivan has quit [Quit: lp0 on fire]

21:54 book` has joined #nixos-security

21:55 book` has quit [Client Quit]

21:58 book` has joined #nixos-security

22:02 ivan has joined #nixos-security

22:09 infinisil has joined #nixos-security

22:09 simpson has joined #nixos-security

22:09 xorAxAx has joined #nixos-security

22:12 <xorAxAx> So, the attack vector again: user A runs nixos on a laptop, travels somewhere, does a channel update. then, somebody performs a MITM attack, pointing him to flawed .nix files, poisoning his system.

22:13 <xorAxAx> gchristensen points out that you can also use git to fetch the tree

22:13 <xorAxAx> that would be an improvement if ssh is being used

22:13 <xorAxAx> probably

22:13 <simpson> Specifically one of the NixOS-controlled channels at https://nixos.org/channels/, right?

22:14 <gchristensen> https://github.com/NixOS/nixpkgs-channels

22:14 <gchristensen> is one you can fetch vi agit

22:15 <LnL> yeah, a MITM of eg. https://nixos.org/channels/nixos-19.03 of could update your channel with unknown expressions

22:16 <xorAxAx> yep

22:16 <LnL> if you trust github then you can use that repo over ssh

22:17 <LnL> I think only ~2 people and the infrastructure have access to that

22:18 <infinisil> Would be neat to have a list of potential attacks against Nix(OS)

22:18 <gchristensen> access control to the build infrastructure is quite carefully maintained

22:20 <xorAxAx> LnL, i am more concerned about on-the-wire threats

22:20 <xorAxAx> not somebody mutating the eye-balled repo to contain malware etc.

22:22 <pie_> some of my security friends have told me the usual https pki stuff is basically broken because of stolen wildcard certs and who knows whar

22:22 <pie_> what

22:23 <pie_> but id hope thats not all we're relying o

22:23 <pie_> *on. re signing i guess

22:25 <LnL> alternatively you could run NIX_SSL_CERT_FILE=foo.crt nix-channel with only the nixos root cert

22:26 <xorAxAx> pie_, apparently thats crucial

22:27 <xorAxAx> in the default setup

22:28 <infinisil> pie_: Take a look at certificate transparency, which solved some problems

22:30 <infinisil> But I'm pretty sure wildcard certs can only have subdomain level or lower wildcards

22:31 <pie_> yeah idk it was probably some other thing

22:32 <xorAxAx> there are CA certs in airplanes that can sign any domain cert

22:32 <xorAxAx> according to what i read in the past

22:32 <xorAxAx> not sure what the full chain was

22:32 <xorAxAx> (somebody saw ssl warnings while surfing on an airplane)

22:34 <LnL> problem is that multiple root CA's can sign the same domain, only one of which is the real one

22:35 <gchristensen> I can make a CA right now whic hcan sign for any domain cert

22:35 <gchristensen> and you too will get the pleasure of seeing SSL warnings

22:35 <pie_> installing root CAs via nix updates :D

22:35 <xorAxAx> (an example - https://security.googleblog.com/2013/12/further-improving-digital-certificate.html )

22:36 <xorAxAx> pie_, arent they?

22:37 <xorAxAx> LnL, yeah, and it doesnt need to be root CAs which sign the malicious cert

22:38 <LnL> well, it still needs to be signed by one of the ~600 in the cacert package

22:39 <xorAxAx> LnL, does it? ca depth is limited to 2?

22:39 <simpson> xorAxAx: Do you have examples of delivery methods which *would* be acceptable to you, if HTTPS and SSH+git aren't sufficient?

22:39 <xorAxAx> simpson, i never said that

22:39 <gchristensen> I think they're saying if we signed it and verified it outside of transport

22:40 <simpson> Signed *what*, and verified *how*? Just adding another signature doesn't improve anything.

22:41 <gchristensen> a simple example is the channel could be fetched like any other substitutable derivation

22:41 <gchristensen> and be subject to the same verification rules of any other substituter

22:42 <simpson> Hm, can it? Sure, a particular *version* of the channel can be fetched, but to fetch a newer version means to have a newer hash to expect, right? So we still have a problem of getting the new hashes out over a secure distribution channel.

22:43 <gchristensen> sure, but you've narrowed the scope of possible results of a channel to "was at one time produced by hydra"

22:44 <simpson> Okay, yeah, I see your point.

22:44 <LnL> yeah, signing wouldn't prevent fetching an old (ie. insecure) channel

22:45 <simpson> Certainly a new hash is also *shorter* than an entire channel!

22:47 <LnL> it could keep track of the revision count and warn/fail if that goes down, but that's still not particularly reliable

22:51 <infinisil> Could we sign new channel versions with keys distributed in earlier versions?

22:51 <pie_> i havent really been keeping track but why cant you just - yeah what infinisil said

22:52 <pie_> with the caveat that if an old key is compromised i dont see what you could to about it

22:52 <LnL> not sure I understand that

22:52 <pie_> does that end up tautological

22:52 <xorAxAx> you can also switch to ssh+git, that would be reasonable secure as far as i am concerned

22:53 <xorAxAx> as a default method in docs etc.

22:53 <xorAxAx> not sure whether that has disadvantages

22:54 <pie_> i figure something like this would make sense?: you have a basis of trust which is some root hydra key or something, derive an intermediate key thats actually deployed on hydra, sign artefacts with the intermediate key. the users have the intermediate public keys and can verify artefacts against them.

22:54 <pie_> the problem with https pki is that you have various authorities all with the permissions to do anything with anyone

22:54 <pie_> at least thats my current limited understanding

22:56 <pie_> continuing "<pie_> i figure something like this would make sense?:"; if you have something like that the actual transport medium doesnt matter?

22:56 <pie_> (typical self run pki stuff i think)

22:57 <pie_> well, certificate pinning is a thing, which kind of alleviates mitm problems, i think

22:57 <pie_> (am i just talking nonsense to myself?)

22:58 <infinisil> It sounds good at least xD

23:02 <pie_> i think theres two possible problems to talk about here, one is security (meaning what exactly?) of the transport protocol, and the other is integrity of the transported data. for public (dunno about private) nix infra i figure we're concerned about the latter, in which case the actual protocol used shouldnt matter?#

23:03 <pie_> ^assuming a satisfactory implementation

23:04 <pie_> (im quite sure this is a solved problem i just dont know the space too well...)