Project

General

Profile

Actions

Misc #12532

closed

OpenSSL is so Difficult to find for Ruby Build Scripts that it Introduces a Security flaw

Added by martin_vahi (Martin Vahi) almost 5 years ago. Updated almost 5 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
[ruby-core:76193]

Description

The result is that people do

http://stackoverflow.com/a/25186429

gem source -r https://rubygems.org/ 
gem source -a http://rubygems.org/

leading to simplified man-in-the-middle attacks.
Gems have build/installation scripts and the rest
is, if not history, then the future.
I state that an out-dated OpenSSL in the Ruby
installation is far better than no OpenSSL at all.
Therefore it is beneficial to embed a copy of
the OpenSSL to the Ruby source, so that it
gets built and is robustly available regardless
of the operating system peculiarities.

If that all sounds too mild, then there's another
link for scaring the people, who read this comment:

https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/
(archival copy: https://archive.is/06Lr5 )

As a historical reference, according to the
movie about the Alan Turing

http://www.imdb.com/title/tt2084970/

the German Enigma got cracked due to
an operator error at the German operator side.
The people there were just too lazy to
change the "key" thoroughly enough.

Thank You for reading my comment.

Updated by martin_vahi (Martin Vahi) almost 5 years ago

Actually, build scripts might try to
use the operating system version of the OpenSSL
and if they fail to use the operating system
version, then they should use the embedded
OpenSSL source as a backup option.

Updated by darix (Marcus Rückert) almost 5 years ago

you don't want to ship an intree copy of openssl.

the proper solution is that people should use their package manager and understand how to use them.

maybe we should make ruby's build hard fail when linking openssl fails.

Updated by rhenium (Kazuki Yamaguchi) almost 5 years ago

  • Status changed from Open to Rejected

Martin Vahi wrote:

The result is that people do

http://stackoverflow.com/a/25186429

gem source -r https://rubygems.org/ 
gem source -a http://rubygems.org/

leading to simplified man-in-the-middle attacks.
Gems have build/installation scripts and the rest
is, if not history, then the future.

$ gem install <something>
Error: while executing gem (Gem::Exception)
  Unable to require openssl. install openSSL and rebuilt ruby (preferred) or use non HTTPs sources

The error message clearly says that rebuilding Ruby with ext/openssl is preferred. It is the responsibility of the user not to follow that.

I state that an out-dated OpenSSL in the Ruby
installation is far better than no OpenSSL at all.
Therefore it is beneficial to embed a copy of
the OpenSSL to the Ruby source, so that it
gets built and is robustly available regardless
of the operating system peculiarities.

I don't think so. A broken OpenSSL doesn't improve security at all. Since OpenSSL (or LibreSSL) is usually already installed on the system, the real problem is that the user is not passing a correct --with-openssl-dir to the configure script, or the user just forgets to install the header files.

Actions

Also available in: Atom PDF