"gem install" fetches packages from unencrypted HTTP URL
Bug #1467716 reported by
Simon Déziel
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ruby1.9.1 (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
Running "gem install $FOO" fetches $FOO using unencrypted HTTP which is insecure.
Steps to reproduce:
1. apt-get install ruby
2. echo 'source "https:/
3. gem install bundler
One would expect this to use HTTPS to download but it's not the case.
Additional information:
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# apt-cache policy ruby
ruby:
Installed: 1:1.9.3.4
Candidate: 1:1.9.3.4
Version table:
*** 1:1.9.3.4 0
500 http://
100 /var/lib/
information type: | Private Security → Public Security |
To post a comment you must log in.
Thank you for taking the time to report this bug and helping to make Ubuntu better.
I know that years ago "gem install" was horribly insecure, but I believe this has been improved upstream? So is this a bug in Ubuntu's packaging, or is it that it is fixed in a newer upstream (and/or Ubuntu) release, or is what you're reporting still a problem upstream?
I'll also note that using unencrypted HTTP isn't necessarily "insecure". Cryptographic verification can be done using digital signatures outside the transport protocol (for example apt does this), which is arguably more secure because it protects data at rest as well as in transit. For example, even if an apt mirror is compromised the signatures and thus package contents cannot be since the apt repository private signing keys aren't held on any mirror.
Finally, HTTPS doesn't necessarily protect privacy for software repositories either, as any attacker who could compromise your HTTP download can also observe the size and timing of your HTTPS downloads and thus often be able to guess what packages you downloaded from a repository that is already public.
So it would be useful if you could please clarify exactly what you mean by "insecure", and what needs to be fixed in Ubuntu as opposed to what is available in a newer release and what needs fixing upstream.