some packages are downloaded via HTTP ?

[amkhlv]

When calling raco pkg install rash, it seems that some packages, such as overeasy and mcfly are downloaded via plain HTTP, no SSL... Could this open a possibility of MITM attack?

[willghatch]

On Wed, Oct 14, 2020 at 06:34:26PM -0700, Andrei Mikhailov wrote: When calling `raco pkg install rash`, it seems that some packages, such as `overeasy` and `mcfly` are downloaded via plain HTTP, no SSL... Could this open a possibility of MITM attack?

Hmm, I hadn't noticed that that package author serves his sources only over HTTP. Yes, that is cause for concern. However, those packages are only necessary for some of the code in the demo directory. I've been thinking of splitting off the demos into a separate `rash-demos` package to reduce dependencies anyway, so this gives extra motivation. I rather wish he would make git repositories for those packages available somewhere -- some of his packages have useful functionality that I would like to extend (rather than writing a completely new library myself), but I'm not going to hack on packages with no public code repository. Even if I were to simply fork, having an existing repository to fork from would be useful. Thanks for the heads-up.

[willghatch]

I've gone ahead and split out the demo code into a separate package. This fixes the issue unless you also install that new package. Since the demos should mostly be used for understanding and writing your own code (they explicitly promise no stability), I don't mind as much that the problem lives on there. However, perhaps if you contact the author of those packages he will consider at least adding https to his server or to the package URLs.

[amkhlv]

Thank you ! But, I am surprised that raco pkg allows this to happen... Should I file a bug against Raco?
Also, notice that Neil Van Dyke does have HTTPS on his website. Is it that only packages are over HTTP? Could it be an issue with Raco ?

[amkhlv]

And also, csv-reading ...

[willghatch]

On Thu, Oct 15, 2020 at 02:08:57PM -0700, Andrei Mikhailov wrote: Thank you ! But, I am surprised that `raco pkg` allows this to happen... Should I file a bug against `Raco`?

Perhaps. I would want to be warned, at least, that some packages are being downloaded via http with no ssl.

Also, notice that Neil Van Dyke __does__ have HTTPS on his website. Is it that only packages are over HTTP? Could it be an issue with `Raco` ?

It could be that he just didn't put the `s` in the package URL. That could fix it. I'll email Neil and perhaps he'll just add the `s`s. Another possibility for dealing with this problem generally is that the pkgs.racket-lang.org could flag packages that use raw http like it flags packages that have build/test errors. This would be less visible while installing things, but would be better than nothing, and would be something that package authors would see reducing the at-a-glance reputability of their packages. I forget who is in charge of pkgs.racket-lang.org at the moment, or I would @ them. @mflatt do you want to weigh in on package security?

[mflatt]

It's rare for packages to be accessed via HTTP, because most are on GitHub, and the package manager rewrites http:// GitHub paths to use the Git protocol over SSL. Aside from Neil's many packages, I see only five other packages that use HTTP.

Making raco pkg rewrite all HTTP to HTTPS by default (unless the behavior is overridden with, say, an environment variable) is probably a good idea, and I think that would make a good issue at https://github.com/racket/racket . With that change, at least three packages registered as HTTP won't install; requring a user to specifically opt in to HTTP seems appropriate, but I'm not sure how easy it will be to detect a certificate or connection failure and recommend a way to opt in.

[amkhlv]

OK, I submitted racket/racket#3443