Wish for additional TLS access to GnuPG and Gpg4win binaries
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	cnd
	Mar 1 2015, 4:13 AM

Description

The gnupg.org web site has a working SSL certificate, but is distributing
both code and sigs via insecure FTP.
(eg: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.27.tar.bz2 )

It is unreasonable to ask users to verify gpg signatures for gpg by using
gpg, and by choosing not to let us use SSL to get gpg in the first place is
effectively blocking security-minded people from being able to trust your
distro.

Your web site also says this:-
GnuPG distributions are signed. It is wise and more secure to check out for
their integrity.

But it does not distribute signatures over any secure channel either.

Your integrity page says this:
Using sha1sum
...check that the output matches the SHA-1 checksum reported on this site.

however, nowhere obvious on your web site are any SHA-1 checksums shown

This kind of sloppiness is not appropriate in the year 2015, and it suggests
that the level of care put into everything else inside GPG might not be the
kind of quality that users expect?

Event Timeline

cnd added a project: Bug Report.Mar 1 2015, 4:13 AM

cnd added a subscriber: cnd.

Sorry, I do not understand yourt point.

Sure, FPT is clear and not authenticated. Instead of providing a not very
secure HTTPS access to the files we provide signatures for all source files
which are way more secure than the X.509 infrastructure.

It is in fact reasonsbale to ask to use an existing gpg to verify a signature.
gpg is a base tool for almost free OS distributions for about 15 years.

If you need to fallback to SHA-1 checksum, you may take them from the
announcement or from https://gnupg.org/download/integrity_check.html they are at
the bottom of the page. Only the current versions are listed, though.

neal added a project: gpgweb.Sep 1 2015, 2:15 PM

Anyway, the FTP server is meanwhile also accessible via https://gnupg.org/ftp -
if you know the file name.

gpg itself, and all it's SHA sums, and all your keys, are being distributed
over unauthenticated plain-text channels which are 100% vulnerable to
undetectable modification in transit.

There is NO EXCUSE for any security product to be distributed in such a
blatantly irresponsible way.

EVERY PLAINTEXT ENDPOINT NEEDS TO BE SHUT DOWN

cnd reopened this task as Open.Sep 10 2015, 12:14 AM

cnd raised the priority of this task from Normal to Unbreak Now!.

cnd added a project: Bug Report.

Please check the facts. I am closing this bug. If you want to raise that again
please feel free do so at gnupg-users@gnupg.org.

• werner lowered the priority of this task from Unbreak Now! to Normal.Sep 10 2015, 3:49 PM

• werner removed a project: Bug Report.

I checked. Here are some inconvenient "facts" for you:

http://gpg4win.org/download.html
http://files.gpg4win.org/gpg4win-2.2.6.exe
http://files.gpg4win.org/gpg4win-2.2.6.exe.sig

https://www.gnupg.org/download/mirrors.html *
There is NOT EVEN ONE SINGLE SSL LINK on the above page!!!!!

Dude - you need to take yourself off this project. If you are more
interested in winning some stupid pride fight than protecting users of a
security product, you deserve no place on the team.

Let me quote YOUR OWN WORDS back to you:
" Instead of providing a not very secure HTTPS access to the files... "

You work on a security product, and you expect us to accept that because you
somehow believe the same security that protects every single other thing on
the web is "not very secure", that it's all fine and hunky-dory for you to
distribute yours over PLAIN UNAUTHENTICATED TEXT, and to expect us to USE
this unauthenticated code to verify it's own sigantures, which also come the
same way (http://files.gpg4win.org/gpg4win-2.2.6.exe.sig)

Here's some more facts - just one tiny list...

ftp://ftp.gnupg.ca/
ftp://ftp.ring.gr.jp/pub/net/gnupg/
http://www.ring.gr.jp/pub/net/gnupg/
ftp://gd.tuwien.ac.at/privacy/gnupg/
http://gd.tuwien.ac.at/privacy/gnupg/
ftp://mirrors.dotsrc.org/gcrypt/
http://mirrors.dotsrc.org/gcrypt/
ftp://ftp.jyu.fi/pub/crypt/gcrypt/
ftp://mirror.cict.fr/gnupg/

http://artfiles.org/gnupg.org
ftp://ftp.franken.de/pub/crypt/mirror/ftp.gnupg.org/gcrypt/

ftp://ftp.freenet.de/pub/ftp.gnupg.org/gcrypt/

http://ftp.heanet.ie/mirrors/ftp.gnupg.org/gcrypt/

...

and the list snakes on

Do not close this bug. Your emotions are too heated to be rational now.

This has nothing to do with gnupg.org. And if you have followed the discussions
you will have noticed that I requested to add TLS support for gpg4win. Please
keep this bug closed and TAKE THIS TO A MAILING LIST - if you want audience for
this problem address it in the public and not on this bug tracker! I can't do
anything for you here.

Stop closing this bug.
I did take this to the list.
You or whoever runs/moderates it is blocking my post.

DO NOT CLOSE THIS until such time as windows users are prevented from
getting your security solution over totally insecure channels.

This is not a game you know - it's an almost absolute certainty that your
careless security attitude will GET PEOPLE KILLED.

Let the person who fixes the insecure distribution problem be the one who
closes this bug. It is not appropriate that your ego needs to win some
puerile argument at the expense of other peoples safety and lives.

Nope, I have see your post.

I asked you several times to not continue here.
Again: PLEASE STOP THAT NOW and keep this bug closed.

• werner closed this task as Invalid.Sep 11 2015, 11:15 AM

• werner lowered the priority of this task from Unbreak Now! to Normal.

• werner removed a project: Bug Report.

This is still open: http://files.gpg4win.org/gpg4win-2.2.6.exe
So this stays open: T1858

You said: "TAKE THIS TO A MAILING LIST"
You then said: "I have see your post."
You are behaving with extreme deception and dishonesty.
Leave this issue to someone else - your emotions have destroyed your
objectivity.

cnd reopened this task as Open.Sep 11 2015, 11:56 AM

cnd raised the priority of this task from Normal to Unbreak Now!.

cnd added a project: Bug Report.

• werner closed this task as Invalid.Sep 11 2015, 12:34 PM

• werner lowered the priority of this task from Unbreak Now! to Normal.

• werner removed a project: Bug Report.

• werner added a project: Stalled.

Gpg4win installers have been code-signed with Authenticode for years and thus are
as securely authenticable as you trust the Microsoft code signing certificate chain
. (If the Microsoft code-signing certificate chaing is broken, your system is wide
open as it secures a lot.)

Gpg4win and GnuPG binaries are signed and additional available over TLS channels
(which provides less integrity protection.)

bernhard removed a project: Stalled.Nov 12 2015, 9:04 AM

This is still open: http://files.gpg4win.org/gpg4win-2.2.6.exe
So this stays open: T1858

For as long as easy MitM can substitute traffic, signing the EXE is a
pointless waste of time.

https://files.gpg4win.org/

For as long as easy MitM can substitute traffic,

signing the EXE is a pointless waste of time.

I disagree, MitM cannot fake the origin so there is no gain in integrity
by using TLS. And if MitM can substitute traffic, it can also block TLS traffic
so there is also no again in availability.

This is still open: http://files.gpg4win.org/gpg4win-2.2.6.exe

Let me quote from T1858 (cnd on Nov 12 2015, 10:21 AM / Roundup):

additional available over TLS channels

So there is https://files.gpg4win.org/gpg4win-2.2.6.exe

bernhard renamed this task from Insecure unauthenticable distribution via (secure) gnupg site to Wish for additional TLS access to GnuPG and Gpg4win binaries.Nov 12 2015, 11:26 AM

bernhard closed this task as Resolved.

bernhard claimed this task.

Sounds like a plan!

Get rid of all the insecure delivery mechanisms ( e.g.
http://files.gpg4win.org/gpg4win-2.2.6.exe ), which you can now safely do
because you've got secure ones (well done), then (and only then) you can
close this bug!

cnd reopened this task as Open.Nov 12 2015, 12:30 PM

We will keep the non-TLS access, because there are some people
that will lose access otherwise. This would be security loss in availability.

I appreciate that you checking what we do and that you want to help the initiative.
In order that many people can do so in a constructive way
the tracker is here to support the active contributors,
which will have the final say what they are going to see as a todo item or not.
We'll probably change some of the web pages and will move some more services
over time, but there is not much point in tracking it here.
Please respect this decision.

bernhard closed this task as Resolved.Nov 12 2015, 1:48 PM

"We will keep the non-TLS access, because there are some people
that will lose access otherwise."

LOL

You know that GnuPG is a security product, right?

I challenge your assumption. Nobody will loose access, but securing
downloads will make EVERYONE mass-loads safer.

Heck dude - there's this search engine, maybe you've heard of it? It's
called GOOGLE. They make you use this thing, maybe you've heard of it too?
It's called TLS.

Just get rid of the unsafe stuff Bernhard, this isn't a game, peoples lives
really do balance on this stuff. Start acting responsibly.

cnd reopened this task as Open.Nov 12 2015, 4:50 PM

Dear Chris <coward@anon.im>,

this is the todo list of active contributors
and to be useful to them, they get to decide what is tracked.

My argument that there are some people that are in situations
where they cannot get a TLS connection (behind a firewall or not having
the right software), they still get the same, integrity protected distribution.
All other can use TLS, if they want to. So it is more people overall
that have access.

Convince a few other active contributors of GnuPG or Ggp4win that
you are still having a valid point for the todo list. If so, open a new
issue. Reopening this one is not helpful.

Best,
Bernhard

bernhard closed this task as Resolved.Nov 13 2015, 8:28 AM

bernhard lowered the priority of this task from Unbreak Now! to Wishlist.

bernhard removed a project: Bug Report.

bernhard added a project: Feature Request.

Mate - it's this simple. For as long as you're distributing a security
product over plaintext insecure channels, this bug needs to stay open.

TLS will NOT prevent anyone downloading this, no matter how hard you cling
to that irrational idea. If you work for someone who is exploiting this
attack vector SHAME ON YOU!!!

Stop wasting everyones time. If you don't want to fix this, go away and do
something else, stop preventing someone who *can* fix it from actually doing
that by messing with this ticket.

cnd removed a project: Feature Request.Nov 13 2015, 8:51 AM

Chris, please take this to one of the mailing lists (gnupg-usewrs@gnupg.org).
You want a discussion about this and thus the bug tracker is not the right media
for you. Please do not re-open this bug again.

We provide all kind of means to verify the software and the default is now to
use the also-easy-to-subvert https for those who are not able to verify
signatures or checksums.

Also feel free to provide a verified copy of the software from your own boxes
and announce that to the Gpg4win lists.

• werner closed this task as Resolved.Nov 13 2015, 9:40 AM

• werner lowered the priority of this task from Unbreak Now! to Wishlist.

• werner removed projects: Bug Report, Info Needed.

• werner added a project: Feature Request.

This is still open: http://files.gpg4win.org/gpg4win-2.2.6.exe
So this stays open: T1858

cnd removed a project: Feature Request.Nov 13 2015, 10:18 AM

Chris,
as we want to keep this community functional, we require a basic politeness
and respect for the provided tools like this tracker.

As you keep insisting on an argument that Werner and myself
cannot follow and you do not respect that this tracker is the
todo list of the active contribution, we have to protect
our contribution community for repeated obstruction of our goals.
I will see if I can get this tracker issue closed.

Feel free to bring matters like this up on the public mailing list or
your own other channels.

Best,
Bernhard

bernhard closed this task as Resolved.Nov 13 2015, 12:29 PM

bernhard lowered the priority of this task from Unbreak Now! to Wishlist.

bernhard removed a project: Bug Report.

bernhard added a project: Feature Request.

Chris,

the admins tell me that it is easiest to remove your user account
to withdraw updating rights to this issue. This I may be forced to do,
unless we find a better solution for civility and availability of this tracker.

Regards,
Bernhard

bernhard reopened this task as Open.Nov 13 2015, 12:36 PM

bernhard closed this task as Resolved.Nov 13 2015, 12:40 PM

Bernhard - this is an issue of security, it is not a place for you to
exercise corruption by using your influence over administrators to shut down
opinions you disagree with.

You have made a statement that I am absolutely confident that no security
professional will support: "We will keep the non-TLS access, because there
are some people that will lose access otherwise.". Aside form this
statement being almost certainly totally untrue, this is nevertheless NOT a
valid reason to continue to distribute a security product over known
compromiseable channels. If anyone cannot get GPG because of TLS (which I
doubt), that is NOT a reason to for everyone to get GPG over an insecure
channel. Like I've said before, security-downgrade attacks are the most
effective weapon used by adversaries. Do not make is so easy for them.

Let me suggest a resolution to this problem, since we seem to be at a
stalemate:

Let us pick a security professional who is known and trusted. You can write
down your case for why you do not want to use TLS, and I will write down my
case why I want TLS to be mandatory, and we will each give our cases to this
professional.

If they pick your case, I will let you close this ticket and I will not come
back.

If they pick my case, you will resign from the GnuPG project and not come
back.

Deal?

cnd reopened this task as Open.Nov 17 2015, 6:10 PM

cnd raised the priority of this task from Wishlist to High.

cnd removed a project: Feature Request.

cnd added a project: Bug Report.

Chris,
your arguments have been discussed before.
The transportation with OpenPGP and Authenticode signatures
is considered to be save enough.
And you can bring them up again in a public discussion forum,
not in a contributors todo list. Or you can use a platform of your chosen,
e.g. a personal blog.

Your last msg's wording is also against our rules as a community to
work together in a respectful and manner. You repeately imply
personal deficies by others like me or Werner you are not convinced
by your arguments. For the sake of our community, we cannot tolerate
that. Thus I'll have to see this specific acount to be removed, so we
can close this issue.

I hope to see respectful contributions from you in the future,
Bernhard

bernhard closed this task as Resolved.Nov 18 2015, 9:57 AM

bernhard lowered the priority of this task from High to Wishlist.

bernhard removed a project: Bug Report.

bernhard added a project: Feature Request.

Wish for additional TLS access to GnuPG and Gpg4win binariesClosed, ResolvedPublicActions

Description

Event Timeline

Wish for additional TLS access to GnuPG and Gpg4win binaries
Closed, ResolvedPublic
Actions