Opportunistically rewrite http:// into https:// as a defence in depth measure

rpm-software-management / librepo

A library providing C and Python (libcURL like) API for downloading packages and linux repository metadata in rpm-md format

http://rpm-software-management.github.io/librepo/

GNU Lesser General Public License v2.1

75 stars 91 forks source link

Opportunistically rewrite http:// into https:// as a defence in depth measure #194

Closed KOLANICH closed 4 years ago

KOLANICH commented 4 years ago

If a metalink lists a plain http URI, librepo should rewrite it to https and try it first, and use plain http only if TLSed version is not available, as a defence in depth measure (for protecting from eavesdropping, replays and mitigating against malicious MiTM, that may be used exploit some vulnrs that cannot be mitigated by OpenPGP signature checks).

Conan-Kudo commented 4 years ago

So you are proposing that we force an https request to probe for support? This violates the spec on how URLs are supposed to work. If a user explicitly wants http (no TLS), then that's what they should get. You can, as a user of librepo, choose to do differently (even rewrite the metalink being passed into librepo in the first place), but it would be wrong for librepo to make judgement calls like that.