Project

General

Profile

Actions

Misc #12532

closed

OpenSSL is so Difficult to find for Ruby Build Scripts that it Introduces a Security flaw

Added by martin_vahi (Martin Vahi) over 8 years ago. Updated over 8 years ago.

Status:
Rejected
Assignee:
-
[ruby-core:76193]

Description

The result is that people do

http://stackoverflow.com/a/25186429

gem source -r https://rubygems.org/ 
gem source -a http://rubygems.org/

leading to simplified man-in-the-middle attacks.
Gems have build/installation scripts and the rest
is, if not history, then the future.
I state that an out-dated OpenSSL in the Ruby
installation is far better than no OpenSSL at all.
Therefore it is beneficial to embed a copy of
the OpenSSL to the Ruby source, so that it
gets built and is robustly available regardless
of the operating system peculiarities.

If that all sounds too mild, then there's another
link for scaring the people, who read this comment:

https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/
(archival copy: https://archive.is/06Lr5 )

As a historical reference, according to the
movie about the Alan Turing

http://www.imdb.com/title/tt2084970/

the German Enigma got cracked due to
an operator error at the German operator side.
The people there were just too lazy to
change the "key" thoroughly enough.

Thank You for reading my comment.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0