Notify users of security risks in README #3
Comments
|
I'd suggest something along the lines of: Security note: |
jpolitz
added a commit
to brownplt/code.pyret.org
that referenced
this issue
Oct 4, 2023
…owser @shriram reported that some image urls were not loading through image-url() even though they'd appear fine in a browser (specifically some hosted at `cs.brown.edu`, but this could happen in many cases). The issue was that the intermediate CAs were not embedded in the certificate for that domain. This is a common SSL configuration issue that browsers work around by filling in the gaps. The node https libraries are more strict. The fix appears to be to use https://www.npmjs.com/package/node_extra_ca_certs_mozilla_bundle, which fills in a bunch of the gaps in the certificate chain from Mozilla's trusted sources. There are fewer active users/weekly downloads of this than some popular repositories, but looking at the public issues convinces me that this is legit and right for our uses: arvind-agarwal/node_extra_ca_certs_mozilla_bundle#3 arvind-agarwal/node_extra_ca_certs_mozilla_bundle#1
jpolitz
added a commit
to brownplt/code.pyret.org
that referenced
this issue
Oct 4, 2023
…owser @shriram reported that some image urls were not loading through image-url() even though they'd appear fine in a browser (specifically some hosted at `cs.brown.edu`, but this could happen in many cases). The issue was that the intermediate CAs were not embedded in the certificate for that domain. This is a common SSL configuration issue that browsers work around by filling in the gaps. The node https libraries are more strict. The fix appears to be to use https://www.npmjs.com/package/node_extra_ca_certs_mozilla_bundle, which fills in a bunch of the gaps in the certificate chain from Mozilla's trusted sources. There are fewer active users/weekly downloads of this than some popular repositories, but looking at the public issues convinces me that this is legit and right for our uses: arvind-agarwal/node_extra_ca_certs_mozilla_bundle#3 arvind-agarwal/node_extra_ca_certs_mozilla_bundle#1
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks very much for your work on this.
There are a couple of issues which I think should be addressed in the README of this project.
Security risk posed by lack of post release updates
The README should highlight that the trusted certificate list that is generated is only updated every time a new build is released so any certificates revoked on security grounds or added after the fact will not be present. It seems fairly obvious but given this is a genuine security risk dependent on use case this should be noted at the very start of the README.
In Mozilla's blog https://blog.mozilla.org/security/2020/11/13/preloading-intermediate-ca-certificates-into-firefox/ they state that Firefox does continual background updating to remove revoked certificates and add new ones.
This issue is beyond the scope of this project right now but your users really should be notified of the risks if they stop regularly building and deploying their code especially if their programs are used outside of controlled environments (i.e. anything that accesses the internet).
Source and Host of the data
As @nake89 in #1 suggests, you should clarify the source and host for the certificates that are being pulled in. It is correct but non obvious as the URLs and host company are not mentioned anywhere in the README
The text was updated successfully, but these errors were encountered: