On Tue, 2016-11-01 at 09:44 -0400, Travis Burtrum wrote:
On 10/31/2016 05:24 PM, Daniel Micay wrote:
Perhaps Pacman should just learn to respect HPKP? It's actually supported by wget now, take a look at ~/.wget-hsts. Pacman could have a similar file in the sync database directory. Then it just kicks in after the first connection and as long as Pacman keeps accessing that mirror it will keep updating the date. It could work quite well since we don't support not upgrading for long periods of time.
Those are 2 different things though, wget supports HSTS, not HPKP, though pinning public keys is part of HPKP. I plan eventually to write HPKP support for curl/wget, but that's a pretty ambitious project I don't have time for right now.
However, with as often as pacman pushes the mirrorlist, it could include just a hard-coded set of hashes for TLS servers. Or a simple script generates and installs them for those who care.
Ah, right. HPKP is just that though: a list of key hashes that are permitted (if they appear anywhere in the trust chain). We don't know how mirrors manage their HTTPS keys unless they use HPKP, so what good is pinning them manually? It'll eventually fail, and you can't know if it's an attack or they replaced the certificate.