Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add certificate pinning or a similar alternative to pip https support. #1168

Closed
nejucomo opened this issue Aug 26, 2013 · 4 comments
Closed

Add certificate pinning or a similar alternative to pip https support. #1168

nejucomo opened this issue Aug 26, 2013 · 4 comments
Labels
auto-locked Outdated issues that have been locked by automation type: enhancement Improvements to functionality

Comments

@nejucomo
Copy link

Certificate pinning can prevent MITM attacks where the attacker colludes with a certificate authority other than the CA specified by pinning. In the context of pip, such an attack would allow an attacker colluding with a certificate authority to inject code during a pip install.

This is mentioned as a "bonus feature" in #1167, and I decided to make a separate ticket because tickets with more specific scope are more likely to be useful.
@nejucomo nejucomo mentioned this issue Aug 26, 2013
Closed
@dstufft
Copy link
Member

dstufft commented Aug 26, 2013

As mentioned in the other thread I'm +1 on this feature.

I believe it needs:

  • Exposed in the config so users can manually pin for a particular domain
  • Ideally allow domains to pin themselves, there are a couple of options here but probably the most promising is https://tools.ietf.org/html/draft-ietf-websec-key-pinning-01 which is also implemented in Chrome. There is also http://tack.io/ but it requires a TLS extension and thus is harder to implement.

As an aside, users can approximate this feature already using a custom CA bundle but that's far less useful as proper certificate pinning.

@xavfernandez xavfernandez added the type: enhancement Improvements to functionality label Oct 9, 2015
@dstufft
Copy link
Member

dstufft commented Mar 24, 2017

Closing this, in the time since this had been opened I've become -1 on this feature. The place where it would be most useful if PyPI, but PyPI can't pin because we don't control all of our certificates (Fastly controls some of them). In addition this is more or less superseded by the TUF proposal to add package signing, and at that point we only rely on HTTPS for confidentiality.

In addition since we use requests (which uses urllib3) we will get this for "free" if urllib3 implements urllib3/urllib3#607.

@dstufft dstufft closed this as completed Mar 24, 2017
@LucidOne
Copy link

Perhaps pip could implement something like a backwards version of let's encrypt and update a list of possible pinned certificates from a PGP signed file on PyPI? That way Debian, Fedora, etc only need to ship with the most recent PyPI PGP signing key and pip can securely update as the pinned certificates change instead of when downstream updates their repos.

@LucidOne LucidOne mentioned this issue Feb 19, 2019
Closed
@lock
Copy link

lock bot commented May 28, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot added the auto-locked Outdated issues that have been locked by automation label May 28, 2019
@lock lock bot locked as resolved and limited conversation to collaborators May 28, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
auto-locked Outdated issues that have been locked by automation type: enhancement Improvements to functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dstufft @LucidOne @nejucomo @xavfernandez