Vulnerability of OpenSource Software download mechanisms: VLC
Hello, as we move to improve the status of encryption of the internet and at all levels internet companies diffuse the uses of HTTPS encryption and integrity protection methods there are still a variety of massively diffused pieces of software that can be subject to malware injection trough MITM techniques. VLC, Videolan Client, the most used opensource video player have their entire website in HTTP, their download page in HTTP and the mirror providing the downloading in HTTP. However they are refusing to implement HTTPS arguing that because their .exe are digitally signed with authenticode they are safe https://trac.videolan.org/vlc/ticket/18472 . Please help me explain them how digital attacks works, or please someone make a MITM video-screencast to show them how urgent and important is to upgrade all of the connections to HTTPS. -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi
On 07/03/2017 08:36 AM, Fabio Pietrosanti - Lists wrote:
Hello,
as we move to improve the status of encryption of the internet and at all levels internet companies diffuse the uses of HTTPS encryption and integrity protection methods there are still a variety of massively diffused pieces of software that can be subject to malware injection trough MITM techniques.
VLC, Videolan Client, the most used opensource video player have their entire website in HTTP, their download page in HTTP and the mirror providing the downloading in HTTP.
However they are refusing to implement HTTPS arguing that because their .exe are digitally signed with authenticode they are safe https://trac.videolan.org/vlc/ticket/18472 .
From the post @ videolan.org: "VLC trust and diffusion has been also being exploited by CIA." And: "So VLC is responsible to let attacks inject malware bundled with the software package, because it's only VLC project maintainer responsibility to use HTTPS as the only method to prevent a third party attacker to hijack VLC website content and files." Against hostile State actors, HTTPS only provides a false sense of security. If your threat model includes the CIA, reliance on HTTPS is a fundamental error in the "game over" category. The HTTPS procotol implemented in web browsers relies on digital signatures by 3rd parties called Certificate Authorities to transparently verify that the key used for the "secure" connection belongs to the website in question. Any actor who owns a copy of any one of the numerous Certificate Authorities' signing keys can sign an SSL certificate in any website's name, and it will be accepted as authentic by any web browser. The HTTPS trust model is broken at the foundation. This does not make HTTPS useless; smaller criminal organizations and hostile individuals do not normally have access to Certificate Authority signing keys, and so can not effectively do man in the middle attacks against HTTPS connections. In most cases implementing HTTPS is worth doing - as long as it is understood that this provides no protection against large, well funded adversaries.
Please help me explain them how digital attacks works, or please someone make a MITM video-screencast to show them how urgent and important is to upgrade all of the connections to HTTPS.
See above: It seems likely that the people at videolan.org have a basic understanding of how digital attacks work, more so than someone who believes that HTTPS can interfere with attacks by State actors. If it is urgent and important for videolan.org to use HTTPS, preventing MITM attacks by State actors (or other criminal gangs with substantial resources) is not the reason. A more effective way to protect against malware injection via substitution of executables in transit, is for the distributor to digitally sign the installers themselves. This method is not 100% reliable - nothing is - but at present it's the best method we have. And note that it is already implemented in the Linux software repositories.
All of this is well and good as long as we remember that digital signing of anything only provides security in processes which verify the signature. Installation through Linux software repositories verifies the signature. Installation on Macs verifies the signature provided the user does not click through warnings (which is common practice). Installation on Windoze verifies the signature provided the user does not click through warnings (which is a required practice in almost all cases). VLC's internal update system presumably verifies the signature. Hence, VLC's security model only provides satisfactory protection in maybe 50% of cases. Despite the comparative weakness of the web browser's WoT compared to possibly the software signing WoT, adding TLS would considerably lock down the number of attack vectors. Windoze is likely already vulnerable to state actors in a hundred other ways such that VLC's installation process isn't the highest priority, but the vast majority of attacks are not from state actors and protecting against smaller attacks is important. Yours sincerely, Bardi Harborow Software Engineer Mobile: +61481816153 Web: bardiharborow.com I acknowledge the Wurundjeri people, who are the custodians of the land upon which I live and work. I pay respect to their elders past and present. On Tue, Jul 4, 2017 at 12:24 AM, Steve Kinney <admin@pilobilus.net> wrote:
On 07/03/2017 08:36 AM, Fabio Pietrosanti - Lists wrote:
Hello,
as we move to improve the status of encryption of the internet and at all levels internet companies diffuse the uses of HTTPS encryption and integrity protection methods there are still a variety of massively diffused pieces of software that can be subject to malware injection trough MITM techniques.
VLC, Videolan Client, the most used opensource video player have their entire website in HTTP, their download page in HTTP and the mirror providing the downloading in HTTP.
However they are refusing to implement HTTPS arguing that because their .exe are digitally signed with authenticode they are safe https://trac.videolan.org/vlc/ticket/18472 .
From the post @ videolan.org: "VLC trust and diffusion has been also being exploited by CIA." And: "So VLC is responsible to let attacks inject malware bundled with the software package, because it's only VLC project maintainer responsibility to use HTTPS as the only method to prevent a third party attacker to hijack VLC website content and files."
Against hostile State actors, HTTPS only provides a false sense of security. If your threat model includes the CIA, reliance on HTTPS is a fundamental error in the "game over" category.
The HTTPS procotol implemented in web browsers relies on digital signatures by 3rd parties called Certificate Authorities to transparently verify that the key used for the "secure" connection belongs to the website in question. Any actor who owns a copy of any one of the numerous Certificate Authorities' signing keys can sign an SSL certificate in any website's name, and it will be accepted as authentic by any web browser.
The HTTPS trust model is broken at the foundation. This does not make HTTPS useless; smaller criminal organizations and hostile individuals do not normally have access to Certificate Authority signing keys, and so can not effectively do man in the middle attacks against HTTPS connections. In most cases implementing HTTPS is worth doing - as long as it is understood that this provides no protection against large, well funded adversaries.
Please help me explain them how digital attacks works, or please someone make a MITM video-screencast to show them how urgent and important is to upgrade all of the connections to HTTPS.
See above: It seems likely that the people at videolan.org have a basic understanding of how digital attacks work, more so than someone who believes that HTTPS can interfere with attacks by State actors.
If it is urgent and important for videolan.org to use HTTPS, preventing MITM attacks by State actors (or other criminal gangs with substantial resources) is not the reason.
A more effective way to protect against malware injection via substitution of executables in transit, is for the distributor to digitally sign the installers themselves. This method is not 100% reliable - nothing is - but at present it's the best method we have. And note that it is already implemented in the Linux software repositories.
*** Steve Kinney <admin@pilobilus.net> [2017-07-03 17:30]:
However they are refusing to implement HTTPS arguing that because their .exe are digitally signed with authenticode they are safe https://trac.videolan.org/vlc/ticket/18472 .
Against hostile State actors, HTTPS only provides a false sense of security. If your threat model includes the CIA, reliance on HTTPS is a fundamental error in the "game over" category.
-- Sergey Matveev (http://www.stargrave.org/) OpenPGP: CF60 E89A 5923 1E76 E263 6422 AE1A 8109 E498 57EF
Using videolan purely as representative example... Here are some keys... https://download.videolan.org/pub/keys/ https://keyserver.siccegge.de:11371/pks/lookup?search=0xE58D1ADC&fingerprint=on&hash=on&op=vindex Their main app is signed. But like most orgs, they still think unsigned '.md5 / .sha1' text files are somehow both unbroken crypto hashes, and unmolestable... https://download.videolan.org/pub/videolan/vlc/2.2.6/ Probably none of rest of their tree / libraries are signed... https://download.videolan.org/pub/videolan/ Probably also not signed is their repo init hash, or any subsequent tagged commits (btw, monotone.ca is a bit more integrated there)... https://git.videolan.org/ And depending on jurisdiction, even looking at these subjects over cleartext could be a privacy / legal / watchlist nightmare... https://download.videolan.org/pub/videolan/libdvdcss/1.4.0/ https://download.videolan.org/pub/videolan/libbluray/1.0.1/ https://download.videolan.org/pub/videolan/libaacs/0.9.0/ https://download.videolan.org/pub/videolan/libbdplus/0.1.2/ Any hacked consumer router / wifi / ISP / corp / gov can easily intercept / replace the 'tarball' '.asc' pair on the fly. HTTPS can help with that. But even CA's, letsencrypt.org, and browser cert store are subvertable. That's why TLS cert fingerprint pinning and cert observatories also exist. Then you've got ARP, IP and DNS MITM and BGP too, neither have really globally fully deployed 'SEC' versions yet. For cookies, there's domain validity and TLS horizon issues. And for binaries, there's reproducibility and chain of trust back to source. Then distribution channels and bitrot and hardware / software / service / human backdoors, exploits, and exploitation. That's the sad global state of affairs. It's easy to bury your head or be busy. While imperfect alone, default HTTPS / TLS is free and easy and helps negate and make things harder in depth, and pisses off some adversaries. It's part of the game till something better comes, just do it. To their credit (or Gandi as their possible hoster), this actually works, it's just not the enforced / exclusive default, which is a fairly easy switch to flip... https://www.videolan.org/ https://www.ssllabs.com/ssltest/analyze.html?d=www.videolan.org&s=88.191.250.2&latest They accept bitcoin... https://www.videolan.org/contribute.html Don't look here either... http://www.labdv.com/aacs/ http://forum.doom9.org/forumdisplay.php?f=9 Curiously, the end2end of onion / i2p / cjdns services bypass some of those issues, but few clearnet sites offer them.
participants (5)
-
Bardi Harborow -
Fabio Pietrosanti - Lists -
grarpamp -
Sergey Matveev -
Steve Kinney