codedance
commented
9 years ago Thanks @neuegram . That’s the benefit of open source! Many eyes keep things secure. Thanks for taking the time to review the code and make some suggestions. As mentioned, we’re not using Silver in production just yet. We’re working on other aspects of our auto updating functions but did this code very early on in the project to proof-of-concept the flow, stability and viability across all the major platforms (Mac, Linux and Windows). We’ve also make this work open so others can benefit. In this respect it’s been great. We’ve had a few external contributions as well. Open source is great! Many eyes make great software.
Regarding the issue you raised. You have a few good points and discuss them below. I’d also welcome your input/suggestion on a few proposed changes.
I don’t think it’s a security issue per se, but rather an issue with “It’s too easy to shoot yourself in the foot”. The design intention is that the update URL should only ever point to a signed HTTPS server (i.e. the check URL should be in the form of https://myupdateserver.org/updatecheck ). Because the “author” (the person who supplied the first installed version) controls the update check URL, they can control this location - the trust chain starts with the first install and all upgrades following. Our assumptions/designs are:
- An HTTPS connection ensures it’s not possible to man-in-the-middle. The code (golang standard library) enforces certificate trust chain on HTTPS by default.
- Using a SHA checksum ensures only signed downloads are accepted and installed. This allows the author to host the update binary itself on an non-HTTPS server if you so desire (e.g. support distribute via a CDN).
- The “arbitrary commands” is by design. A MITM should not be able to insert commands, or substitute their binary unless they can MITM an TLS connection.
I can however see your point of view. Where I think things fall down from a security point of view is that it fails the “secure-by-default rather than secure-by-configuration” test.
I’ve made the following code changes to close this (and of course will be included in the documentation when we finish this off :-):
- The update check URL now may ONLY be
https - I’ve removed md5 as an possible checksum option. Now only the SHA variants are supported.
This changes should make it impossible to accidentally use a non-secure configuration.
Future Ideas:
- It might be worth supporting certificate pinning/signing/locking. i.e. Not only must the certificate be signed for the update check domain, but we’ll only accept this particular certificate/fingerprint.
- It’s not security, but maybe we could prevent some accidents by “chrooting” any of the operations (exec, remove, move, etc) into the application install directory.
What are your thoughts on these changes?
Thanks for the contribution.
Cheers!
Chris
neuegram
It has come to my understanding that PaperCut plans to use Silver in an upcoming release (~1 year). I was told that the idea behind Silver and the product it will be included in is to "host an agent service installed at customer sites that needs to operate reliably with zero on-site maintenance and configuration." Unfortunately, this is not easily done. Here is my take on the security of Silver. This basic, common mistake that most software makes is that it updates over HTTP (or binaries are distributed over HTTP). However, Silver takes that a step further by allowing arbitrary command injection. Read more here.