Closed hrs closed 8 years ago
I don't know either. On Unix systems Emacs should be able to create TLS connections, but I don't know whether Emacs actually checks certificates. I know that Emacs 25 on OS X does that if it's build with GNU TLS, but that's about all that I know, and honestly the issue is not so important to me that I'd like to spend any time on researching that.
I have no idea either. @hrs if you are up for it you could dig into this and get back to us with your findings.
Haha, @lunaryorn, fair enough.
And sure, @rejeep, I just researched this a bit. Some folks have already looked into this issue:
It looks like it wouldn't do any harm to switch to HTTPS addresses. package.el
seems to fall back to HTTP if Emacs isn't configured for TLS, so I don't see a strong reason not to change.
If we do use HTTPS addresses, users that have built Emacs to handle TLS (with gnutls
or openssl
) will be able to securely use Cask without overwriting cask-source-mapping
in their dotfiles.
I'm gonna go ahead and submit a PR changing the addresses that support TLS, if y'all don't mind.
The HTTP fallback here renders the protection of HTTPS almost worthless; all an attacker has to do is make the HTTPS connection fail any way they like, and then they have an HTTP connection to toy with as they like.
@mithrandi I'm not sure what to make of your comment. Where do we have a HTTP fallback here?
Err, sorry, perhaps that was phrased a bit misleadingly: I was referring to this bit of @hrs's comment:
package.el seems to fall back to HTTP if Emacs isn't configured for TLS
However I think I misread the comment, and then proceded to misdiagnose some other issues, so I guess disregard my comment.
@mithrandi You're welcome :relaxed:
According to
cask-source-mapping
, Cask seems to connect to repositories over plain HTTP. This leaves us open to MITM attacks and a bunch of other problems.From what I can tell, the
gnu
,melpa
,melpa-stable
, andmarmalade
sources currently support HTTPS.SC
andorg
don't, yet.I don't know very much about how Emacs handles TLS connections. Do we need to worry about certificates, or would a fix be as simple as changing "http" to "https" in
cask-source-mapping
for the sources that support it?