- #Firesheep 0.1 compatibility install
- #Firesheep 0.1 compatibility verification
- #Firesheep 0.1 compatibility code
Python3 already supports certificate checking through OpenSSL. Step two is to add certificate verification. This probably means making Python-gnupg a prerequisite for Pip (at least for PGP verification).
#Firesheep 0.1 compatibility verification
As a concrete proposal, I think we need to get PGP verification into Pip and solve issue #425. So what can we do? I tried to work on this at the PythonSD meetup but I didn’t get very far partially because it is a tough problem and partly because there was more chatting than coding. The package managers (Pip/EasyInstall) don’t and you probably just use one of them. However, how many people actually verify the signature? Almost nobody. There are additional options like the correct key to sign the package, but the signing part is easy. If you simply attempt to verify it, you’ll probably get a message like this: The PGP signature of the package (rpc4django-0.1.12.tar.gz.asc) can be downloaded along with the package (rpc4django-0.1.12.tar.gz). For this example, I’ll use rpc4django, a package I release, and Gnu Privacy Guard (GPG), a PGP implementation. There are relatively few packages on the cheeseshop (PyPI) that are PGP signed. However, if you don’t want to do that, you can always PGP sign and verify your packages which is what the rest of this post is about. It lets you leverage the infrastructure of your distribution and the signing and checking infrastructure is already there. I’ve heard of other shops making RPMs or DEBs out of Python packages. I think the big users of Python like the Mozillas of the world run their own PyPI servers and only load a subset of packages into it.
#Firesheep 0.1 compatibility code
If you are on an untrusted network, it would not be tough to simply intercept requests to PyPI, download the package, add malicious code to setup.py and recalculate the checksum before returning the new malicious package on to be downloaded. If you manually tell Pip to point to a PyPI repository over HTTPS (say crate.io), it does not check the certificate. They download packages in plaintext (which would be fine if every package was PGP signed and checked) and they download the checksums of the package in plaintext.
#Firesheep 0.1 compatibility install
Pip and Easy Install don’t do any of that. The package manager checks this and warns you when it does not match. This means that the package is signed using private key for that distribution and you can verify that the exact package was signed and has not been modified. Provided you installed a legitimate Linux distribution, you get the right PGP keys and every package downloaded through Apt/Yum is PGP checked. Debian and Redhat distros usually pre-provision the PGP keys for their packages with the distribution. To illustrate the security concerns, it is good to contrast how Python modules are usually installed with how Apt or Yum do it for Linux distributions. Paul McMillan dedicated part of his P圜on talk to this subject. When I first showed Pip, the Python package installer, to a coworker a few years ago his first reaction was that he didn’t think it was a good idea to directly run code he downloaded from the Internet as root without looking at it first.
0 kommentar(er)
