| Message ID | 20200709194820.27032-1-grandmaster@al2klimov.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | SCSI RDMA PROTOCOL (SRP) TARGET: Replace HTTP links with HTTPS ones | expand |
On 2020-07-09 12:48, Alexander A. Klimov wrote: > diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig > index 4b5d9b792cfa..f63b34d9ae32 100644 > --- a/drivers/infiniband/ulp/srpt/Kconfig > +++ b/drivers/infiniband/ulp/srpt/Kconfig > @@ -10,4 +10,4 @@ config INFINIBAND_SRPT > that supports the RDMA protocol. Currently the RDMA protocol is > supported by InfiniBand and by iWarp network hardware. More > information about the SRP protocol can be found on the website > - of the INCITS T10 technical committee (http://www.t10.org/). > + of the INCITS T10 technical committee (https://www.t10.org/). It is not clear to me how modifying an URL in a Kconfig file helps to reduce the attack surface on kernel devs? Thanks, Bart.
Am 10.07.20 um 16:22 schrieb Bart Van Assche: > On 2020-07-09 12:48, Alexander A. Klimov wrote: >> diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig >> index 4b5d9b792cfa..f63b34d9ae32 100644 >> --- a/drivers/infiniband/ulp/srpt/Kconfig >> +++ b/drivers/infiniband/ulp/srpt/Kconfig >> @@ -10,4 +10,4 @@ config INFINIBAND_SRPT >> that supports the RDMA protocol. Currently the RDMA protocol is >> supported by InfiniBand and by iWarp network hardware. More >> information about the SRP protocol can be found on the website >> - of the INCITS T10 technical committee (http://www.t10.org/). >> + of the INCITS T10 technical committee (https://www.t10.org/). > > It is not clear to me how modifying an URL in a Kconfig file helps to > reduce the attack surface on kernel devs? Not on all, just on the ones who open it. > > Thanks, > > Bart. > >
On 2020-07-10 11:12, Alexander A. Klimov wrote: > Am 10.07.20 um 16:22 schrieb Bart Van Assche: >> On 2020-07-09 12:48, Alexander A. Klimov wrote: >>> diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig >>> index 4b5d9b792cfa..f63b34d9ae32 100644 >>> --- a/drivers/infiniband/ulp/srpt/Kconfig >>> +++ b/drivers/infiniband/ulp/srpt/Kconfig >>> @@ -10,4 +10,4 @@ config INFINIBAND_SRPT >>> that supports the RDMA protocol. Currently the RDMA protocol is >>> supported by InfiniBand and by iWarp network hardware. More >>> information about the SRP protocol can be found on the website >>> - of the INCITS T10 technical committee (http://www.t10.org/). >>> + of the INCITS T10 technical committee (https://www.t10.org/). >> >> It is not clear to me how modifying an URL in a Kconfig file helps to >> reduce the attack surface on kernel devs? > > Not on all, just on the ones who open it. Is changing every single HTTP URL in the kernel into a HTTPS URL the best solution? Is this the only solution? Has it been considered to recommend kernel developers who are concerned about MITM attacks to install a browser extension like HTTPS Everywhere instead? Thanks, Bart.
Am 12.07.20 um 21:52 schrieb Bart Van Assche: > On 2020-07-10 11:12, Alexander A. Klimov wrote: >> Am 10.07.20 um 16:22 schrieb Bart Van Assche: >>> On 2020-07-09 12:48, Alexander A. Klimov wrote: >>>> diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig >>>> index 4b5d9b792cfa..f63b34d9ae32 100644 >>>> --- a/drivers/infiniband/ulp/srpt/Kconfig >>>> +++ b/drivers/infiniband/ulp/srpt/Kconfig >>>> @@ -10,4 +10,4 @@ config INFINIBAND_SRPT >>>> that supports the RDMA protocol. Currently the RDMA protocol is >>>> supported by InfiniBand and by iWarp network hardware. More >>>> information about the SRP protocol can be found on the website >>>> - of the INCITS T10 technical committee (http://www.t10.org/). >>>> + of the INCITS T10 technical committee (https://www.t10.org/). >>> >>> It is not clear to me how modifying an URL in a Kconfig file helps to >>> reduce the attack surface on kernel devs? >> >> Not on all, just on the ones who open it. > > Is changing every single HTTP URL in the kernel into a HTTPS URL the best > solution? Is this the only solution? Has it been considered to recommend > kernel developers who are concerned about MITM attacks to install a browser > extension like HTTPS Everywhere instead? I've installed that addon myself. But IMAO it's just a workaround which is (not available to all browsers, not installed by default in any of them and) not even 100% secure unless you tick a particular checkbox. Anyway the majority of maintainers and Torvalds himself agree with my solution. I mean, just look at git log '--author=Alexander A. Klimov <grandmaster@al2klimov.de>' \ --oneline v5.7..master Or (better) wait for v5.9-rc1 (and all the yet just applied patches it will consist of) *and then* run the command. > > Thanks, > > Bart. >
On Sun, Jul 12, 2020 at 10:15:29PM +0200, Alexander A. Klimov wrote: > > > Am 12.07.20 um 21:52 schrieb Bart Van Assche: > > On 2020-07-10 11:12, Alexander A. Klimov wrote: > > > Am 10.07.20 um 16:22 schrieb Bart Van Assche: > > > > On 2020-07-09 12:48, Alexander A. Klimov wrote: > > > > > diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig > > > > > index 4b5d9b792cfa..f63b34d9ae32 100644 > > > > > +++ b/drivers/infiniband/ulp/srpt/Kconfig > > > > > @@ -10,4 +10,4 @@ config INFINIBAND_SRPT > > > > > that supports the RDMA protocol. Currently the RDMA protocol is > > > > > supported by InfiniBand and by iWarp network hardware. More > > > > > information about the SRP protocol can be found on the website > > > > > - of the INCITS T10 technical committee (http://www.t10.org/). > > > > > + of the INCITS T10 technical committee (https://www.t10.org/). > > > > > > > > It is not clear to me how modifying an URL in a Kconfig file helps to > > > > reduce the attack surface on kernel devs? > > > > > > Not on all, just on the ones who open it. > > > > Is changing every single HTTP URL in the kernel into a HTTPS URL the best > > solution? Is this the only solution? Has it been considered to recommend > > kernel developers who are concerned about MITM attacks to install a browser > > extension like HTTPS Everywhere instead? > I've installed that addon myself. > But IMAO it's just a workaround which is (not available to all browsers, not > installed by default in any of them and) not even 100% secure unless you > tick a particular checkbox. > > Anyway the majority of maintainers and Torvalds himself agree with my > solution. > > I mean, just look at > git log '--author=Alexander A. Klimov <grandmaster@al2klimov.de>' \ > > Or (better) wait for v5.9-rc1 (and all the yet just applied patches it will > consist of) *and then* run the command. Well, if you are going to do this please send just one patch for all of drivers/infiniband/ and include/rdma I don't need to see it broken up any more than that Jason
diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig index 4b5d9b792cfa..f63b34d9ae32 100644 --- a/drivers/infiniband/ulp/srpt/Kconfig +++ b/drivers/infiniband/ulp/srpt/Kconfig @@ -10,4 +10,4 @@ config INFINIBAND_SRPT that supports the RDMA protocol. Currently the RDMA protocol is supported by InfiniBand and by iWarp network hardware. More information about the SRP protocol can be found on the website - of the INCITS T10 technical committee (http://www.t10.org/). + of the INCITS T10 technical committee (https://www.t10.org/).
Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: If not .svg: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`: If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> --- Continuing my work started at 93431e0607e5. See also: git log --oneline '--author=Alexander A. Klimov <grandmaster@al2klimov.de>' v5.7..master (Actually letting a shell for loop submit all this stuff for me.) If there are any URLs to be removed completely or at least not HTTPSified: Just clearly say so and I'll *undo my change*. See also: https://lkml.org/lkml/2020/6/27/64 If there are any valid, but yet not changed URLs: See: https://lkml.org/lkml/2020/6/26/837 If you apply the patch, please let me know. drivers/infiniband/ulp/srpt/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)