oss-sec mailing list archives
Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules
From: Steffen Nurpmeso <steffen () sdaoden eu>
Date: Thu, 20 Apr 2023 14:56:45 +0200
Hanno Böck wrote in <20230420073459.003a5be2.hanno () hboeck de>: |On Wed, 19 Apr 2023 23:53:40 +0200 |Steffen Nurpmeso <steffen () sdaoden eu> wrote: |> IMO it is no vulnerability at all since it has "always" been _very |> clearly_ (even very lengthily) documented in the manual page. | |A vulnerability does not go away if it's documented, and I find that a |rather strange take. Hm no, i do not, the latter not at all. You can bundle a OpenPGP / signify / even OpenSSL signature with something and can get secure download even over non-encrypted channels. Even DNSSEC was over unencrypted channels for twenty years, and still mostly is, so, .. that i say that one day, _that_ is strange. I mean, i do not want to start useless and fruitless discussions, and it will be treated as a bug in HTTP::Tiny no matter what i say, hysteria is king. |Also I think this discussion was had many times before, as plenty of |libraries in other language ecosystems defaulted to not checking certs |or doing incomplete checks, and over time they all defaulted to the |sane thing: To make the secure setting the default. |The fact that apparently noone has ever checked this for a major perl |library (I mean - CPAN itself, the package manager, is affected) is |quite telling tbh. There i agree with you. Now OpenSSL is very likely there, and in appropriate versions, and a usable CA might even be available also when HTTP::Tiny goes. Having said that, i think in NetBSD they struggle with whether they should install a complete CA by default, even though some may not need / want it (whatever else reason in their long discussions appeared), i think it is in pkgsrc only for now. Btw, the Mozilla CA contains _only_ entries i fully and completely trust; especially so after the state of the Netherlands left before Christmas last year. No. (And no mission here, and no nagging requirement to make money from it, either.) (P.S.: about thirty years ago i got a handwritten letter of appreciation from a Dutch official, who overwhelmingly thanked me for paying a ticket i got when we were there. So much they appreciated honest Germans by then!) --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Current thread:
- Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Stig Palmquist (Apr 18)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Demi Marie Obenour (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Hanno Böck (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Jeffrey Walton (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Matthew Fernandez (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Demi Marie Obenour (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)