Bug 393988

Summary: Discover flatpack integration retrieves resources over http and is vulnerable to MitM attack
Product: [Applications] Discover Reporter: Nikita Skovoroda <chalkerx>
Component: Flatpak BackendAssignee: Aleix Pol <aleixpol>
Status: RESOLVED DUPLICATE    
Severity: normal CC: jgrulich
Priority: NOR    
Version First Reported In: 5.12.5   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Nikita Skovoroda 2018-05-08 10:42:34 UTC 
To reproduce: add `distribute.kde.org/kderuntime.flatpakrepo`.

The repo file, including the GPGKey, is by default retrieved over http, and could be tampered with.

There are several problems here:

1. Discover supports adding http:// resources as flatpack repos and does not warn that that is insecure.
2. Discover supports adding repos without protocol and defaults those to http:// instead of https://
3. distribute.kde.org is configured to support http://distribute.kde.org and answers to it (to reproduce — open http://distribute.kde.org in «private mode» or just curl it). HSTS does not redirect by itself. See https://www.troyhunt.com/understanding-http-strict-transport/ for more details

The proposed fix would be:
1. Warn on http:// repos, perhaps with an additional confirmation box
2. Default protocol-less addresses to https:// instead of http://
3. Properly configure HSTS and http->https redirects on distribute.kde.org, according to https://www.troyhunt.com/understanding-http-strict-transport/
Comment 1 Aleix Pol 2018-05-08 13:38:16 UTC 

*** This bug has been marked as a duplicate of bug 393987 ***
Comment 2 Nikita Skovoroda 2018-05-08 14:02:45 UTC 
Sorry, I have no idea why this was submitted twice.

Perhaps I could have accidentally double-tapped the submit button twice on the touchpad before the next page was loaded? Still strange that Bugzilla didn't prevent this though.