https://bugs.kde.org/show_bug.cgi?id=393987
Bug ID: 393987
Summary: Discover flatpack integration retrieves resources over
http and is vulnerable to MitM attack
Product: Discover
Version: 5.12.5
Platform: Other
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: Flatpak Backend
Assignee: aleix...@kde.org
Reporter: chalk...@gmail.com
CC: jgrul...@redhat.com
Target Milestone: ---
To reproduce: add `distribute.kde.org/kderuntime.flatpakrepo`.
The repo file, including the GPGKey, is by default retrieved over http, and
could be tampered with.
There are several problems here:
1. Discover supports adding http:// resources as flatpack repos and does not
warn that that is insecure.
2. Discover supports adding repos without protocol and defaults those to
http:// instead of https://
3. distribute.kde.org is configured to support http://distribute.kde.org and
answers to it (to reproduce — open http://distribute.kde.org in «private mode»
or just curl it). HSTS does not redirect by itself. See
https://www.troyhunt.com/understanding-http-strict-transport/ for more details
The proposed fix would be:
1. Warn on http:// repos, perhaps with an additional confirmation box
2. Default protocol-less addresses to https:// instead of http://
3. Properly configure HSTS and http->https redirects on distribute.kde.org,
according to https://www.troyhunt.com/understanding-http-strict-transport/
--
You are receiving this mail because:
You are watching all bug changes.
