Bug 393987

Summary: Discover flatpack integration retrieves resources over http and is vulnerable to MitM attack
Product: [Applications] Discover Reporter: Nikita Skovoroda <chalkerx>
Component: Flatpak BackendAssignee: Aleix Pol <aleixpol>
Status: RESOLVED FIXED    
Severity: normal CC: jgrulich
Priority: NOR    
Version First Reported In: 5.12.5   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: https://commits.kde.org/discover/5d6593633f026f6f204fa712282fe6f2ef5adc9c Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: attachment-18910-0.html
attachment-24133-0.html

Description Nikita Skovoroda 2018-05-08 10:42:34 UTC 
To reproduce: add `distribute.kde.org/kderuntime.flatpakrepo`.

The repo file, including the GPGKey, is by default retrieved over http, and could be tampered with.

There are several problems here:

1. Discover supports adding http:// resources as flatpack repos and does not warn that that is insecure.
2. Discover supports adding repos without protocol and defaults those to http:// instead of https://
3. distribute.kde.org is configured to support http://distribute.kde.org and answers to it (to reproduce — open http://distribute.kde.org in «private mode» or just curl it). HSTS does not redirect by itself. See https://www.troyhunt.com/understanding-http-strict-transport/ for more details

The proposed fix would be:
1. Warn on http:// repos, perhaps with an additional confirmation box
2. Default protocol-less addresses to https:// instead of http://
3. Properly configure HSTS and http->https redirects on distribute.kde.org, according to https://www.troyhunt.com/understanding-http-strict-transport/
Comment 1 Aleix Pol 2018-05-08 13:38:16 UTC 
*** Bug 393988 has been marked as a duplicate of this bug. ***
Comment 2 Aleix Pol 2018-05-08 13:42:12 UTC 
Git commit 5bbbc47f6da4768e1e106ac4df342dfe5433dc12 by Aleix Pol.
Committed on 08/05/2018 at 13:41.
Pushed by apol into branch 'master'.

Use https by default for the repository

M  +1    -1    kdeapps.flatpakrepo

https://commits.kde.org/flatpak-kde-applications/5bbbc47f6da4768e1e106ac4df342dfe5433dc12
Comment 3 Aleix Pol 2018-05-08 13:51:33 UTC 
Git commit 5d6593633f026f6f204fa712282fe6f2ef5adc9c by Aleix Pol.
Committed on 08/05/2018 at 13:49.
Pushed by apol into branch 'Plasma/5.12'.

Don't try to guess the url location

Usually should be a remote URL anyway

M  +1    -1    libdiscover/backends/FlatpakBackend/FlatpakSourcesBackend.cpp

https://commits.kde.org/discover/5d6593633f026f6f204fa712282fe6f2ef5adc9c
Comment 4 Aleix Pol 2018-05-08 13:52:35 UTC 
I don't think we are ready to disallow http: urls yet and a warning would be useless.

Maybe it's something we can do in the future.
Comment 5 Nikita Skovoroda 2018-05-08 14:15:06 UTC 
Yeah. The changes in Discover itself look good for now (assuming that 5d6593633f02 behaves like I think it does), but the webserver configuration behind `distribute.kde.org` should be also changed as people could copy-paste the links from there.

E.g when someone opens `http://distribute.kde.org/`, select the link to `http://distribute.kde.org/kdeapps.flatpakrepo` and copy-paste it into Discover — they retrieve the GPGKey (and the rest of the repo configuration) over http.

Reconfiguring the server to perform a redirect from http:// to https:// and adding HSTS with `preload` should fix that specific chain — even when someone types in `http://distribute.kde.org/` into the browser, it would open `https://distribute.kde.org/` and the user would receive a link with `https://`
Comment 6 Aleix Pol 2018-05-09 01:38:04 UTC 
Considering we already have the GPG key, it shouldn't be super relevant if the content doesn't come from https.

Feel free to take it to sysadmin and CC me there.
https://phabricator.kde.org/u/systickets
Comment 7 Nikita Skovoroda 2018-05-09 07:22:48 UTC 
Created attachment 112525 [details]
attachment-18910-0.html

The gpg key itself is retrieved over http in the scenario I described,
isn't it?

On Wed, May 9, 2018, 04:38 Aleix Pol <bugzilla_noreply@kde.org> wrote:

> https://bugs.kde.org/show_bug.cgi?id=393987
>
> --- Comment #6 from Aleix Pol <aleixpol@kde.org> ---
> Considering we already have the GPG key, it shouldn't be super relevant if
> the
> content doesn't come from https.
>
> Feel free to take it to sysadmin and CC me there.
> https://phabricator.kde.org/u/systickets
>
> --
> You are receiving this mail because:
> You reported the bug.
Comment 8 Aleix Pol 2018-05-10 13:31:35 UTC 
As long as the user uses an http url. We aren't defaulting to http anymore.
Comment 9 Nikita Skovoroda 2018-05-10 13:41:43 UTC 
Created attachment 112561 [details]
attachment-24133-0.html

No, the problem I am talking about now is that the website opens with
`http` by default.
The `Discover` part of defaulting to http:// was fixed, but users probably
are receiving that link from the distribute.kde.org website — and that
returns http:// by default.

Open up a browser with no HSTS cache (e.g. a private window), type in `
distribute.kde.org` without the protocol — you will get
http://distribute.kde.org, copy-paste the `.flatpakrepo` link from there —
and Discover will retrieve the GPGKey over insecure connection.

I estimate that being a common way which users might follow.
A proper HSTS setup with redirects and preload on distrubute.kde.org would
fix this path.
Comment 10 Aleix Pol 2018-05-10 14:11:54 UTC 
That's why I mentioned that maybe you could discuss this with sysadmin.

On our website is properly exposed anyway:
https://community.kde.org/Guidelines_and_HOWTOs/Flatpak