{"id":1032,"date":"2014-08-05T02:31:42","date_gmt":"2014-08-05T02:31:42","guid":{"rendered":"https:\/\/trouble.org\/?p=1032"},"modified":"2014-08-05T02:31:42","modified_gmt":"2014-08-05T02:31:42","slug":"certificates-and-security","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=1032","title":{"rendered":"certificates and security"},"content":{"rendered":"

npm<\/tt> is the defacto package manager for the node.js<\/a> javascript network programming environment thingee.<\/p>\n

The folks who make npm have taken a\u00a0security leap<\/a>:<\/p>\n

npm no longer supports its self-signed certificates<\/b><\/p><\/blockquote>\n

Ah, they build the bastions of light and goodness, protecting us from the sins of the masses by standing tall.<\/p>\n

So… how do you install npm, anyway? Ah, yes, you look it up on their site.<\/a>.. let’s see… why, it’s as simple as executing raw shell commands from a host, what could go wrong with that?<\/p>\n

But let’s test it out, it’s simply (they thoughtfully tell you to put the -L option, which tells curl to go wherever they decide to redirect you in the webs):<\/p>\n

$ curl -L<\/span> https:\/\/<\/span>npmjs.org\/<\/span>install.sh |<\/span> sh<\/span>
\n$<\/div><\/div>\n

Nothing happened? Ah, they tell you to use a stupid shell so they fail silently; try again with something with a brain, bash<\/tt> this time.<\/p>\n

curl -L<\/span> https:\/\/<\/span>npmjs.org\/<\/span>install.sh |<\/span> bash<\/span>
\n%<\/span> Total %<\/span> Received %<\/span> Xferd Average Speed Time Time Time Current
\nDload Upload Total Spent Left Speed
\n100<\/span> 6711<\/span> 100<\/span> 6711<\/span> 0<\/span> 0<\/span> 17161<\/span> 0<\/span> --:--:-- --:--:-- --:--:-- 17161<\/span>
\ntar<\/span>=\/<\/span>bin\/<\/span>tar<\/span>
\nversion:
\ntar<\/span> (<\/span>GNU tar<\/span>)<\/span> 1.20<\/span>
\nCopyright (<\/span>C)<\/span> 2008<\/span> Free Software Foundation, Inc.
\nLicense GPLv3+: GNU GPL version 3<\/span> or later <<\/span>http:\/\/<\/span>gnu.org\/<\/span>licenses\/<\/span>gpl.html><\/span>
\nThis is free<\/span> software: you are free<\/span> to change and redistribute it.
\nThere is NO WARRANTY, to the extent permitted by law.
\n
\nWritten by John Gilmore and Jay Fenlason.
\ninstall<\/span> npm@<\/span>latest
\ncurl: (<\/span>60<\/span>)<\/span> SSL certificate problem, verify that the CA cert is OK. Details:
\nerror:14090086<\/span>:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
\nMore details here: http:\/\/<\/span>curl.haxx.se\/<\/span>docs\/<\/span>sslcerts.html
\n
\ncurl performs SSL certificate verification by default, using a "bundle"<\/span>
\nof Certificate Authority (<\/span>CA)<\/span> public keys (<\/span>CA certs)<\/span>. The default
\nbundle is named curl-ca-bundle.crt; you can specify an alternate file<\/span>
\nusing the --cacert<\/span> option.
\nIf this HTTPS server uses a certificate signed by a CA represented in<\/span>
\nthe bundle, the certificate verification probably failed due to a
\nproblem with the certificate (<\/span>it might be expired, or the name might
\nnot match the domain name in<\/span> the URL)<\/span>.
\nIf you'd like to turn off curl'<\/span>s verification of the certificate, use
\nthe -k<\/span> (<\/span>or --insecure)<\/span> option.
\n<<\/span>strong><\/span>curl: (<\/span>60<\/span>)<\/span> SSL certificate problem, verify that the CA cert is OK. Details:<\/<\/span>strong><\/span>
\n<<\/span>strong><\/span> error:14090086<\/span>:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed<\/<\/span>strong><\/span>
\nMore details here: http:\/\/<\/span>curl.haxx.se\/<\/span>docs\/<\/span>sslcerts.html
\n
\ncurl performs SSL certificate verification by default, using a "bundle"<\/span>
\nof Certificate Authority (<\/span>CA)<\/span> public keys (<\/span>CA certs)<\/span>. The default
\nbundle is named curl-ca-bundle.crt; you can specify an alternate file<\/span>
\nusing the --cacert<\/span> option.
\nIf this HTTPS server uses a certificate signed by a CA represented in<\/span>
\nthe bundle, the certificate verification probably failed due to a
\nproblem with the certificate (<\/span>it might be expired, or the name might
\nnot match the domain name in<\/span> the URL)<\/span>.
\n<<\/span>strong><\/span>If you'd like to turn off curl'<\/span>s verification of the certificate, use<\/<\/span>strong><\/span>
\n<<\/span>strong><\/span> the -k<\/span> (<\/span>or --insecure)<\/span> option.<\/<\/span>strong><\/span>
\nFailed to get tarball url for<\/span> npm\/<\/span>latest
\nsilent \/<\/span>etc\/<\/span>d3ck\/<\/span>tmptmp 1078<\/span> ><\/span> curl -L<\/span> https:\/\/<\/span>npmjs.org\/<\/span>install.sh |<\/span> sh<\/span>
\n%<\/span> Total %<\/span> Received %<\/span> Xferd Average Speed Time Time Time Current
\nDload Upload Total Spent Left Speed
\n100<\/span> 6711<\/span> 100<\/span> 6711<\/span> 0<\/span> 0<\/span> 18132<\/span> 0<\/span> --:--:-- --:--:-- --:--:-- 18132<\/span><\/div><\/div>\n

Yes, the same thing you always see… a crypto error, because they don’t use a valid certificate, and I don’t think they ever have. But hell, obviously these security minded folks want you to simply follow the 301s, wherever they go, execute arbitrary code from psuedo random sites stop asking pesky questions.<\/p>\n

Fortunately you can tell curl to ignore the certificate with the –insecure option (obviously the curl people are exaggerating naming it that!) and run it again:<\/p>\n

$ curl -k<\/span> -L<\/span> https:\/\/<\/span>npmjs.org\/<\/span>install.sh |<\/span> bash<\/span>
\n[<\/span>errors much like above]<\/span><\/div><\/div>\n

Well shoot. It looks like they run curl inside the script that runs curl that follows their redirects to sites with broken certificates. You folks just fill me with confidence – well, confidence that you don’t know your head from a hole in the ground WRT security.<\/p>\n

I suppose it’s better than node.js was a year or two ago, when their official advice was to:<\/p>\n

curl -Ls<\/span> goo.gl\/<\/span>JD2SR |<\/span> bash<\/span><\/div><\/div>\n

What does that do? Well, they even removed the pretense – this isn’t even a secure site, it’s using an obfuscater, and they tells curl to ignore any pesky errors or warnings.<\/p>\n

Following that single line above with strace<\/tt> revealed 1.6GB of data being tossed around, 16 hosts being involved, and who knows (I lost the output, sorry, lol) how many hundreds of programs, files, and other things were involved.<\/p>\n

And these are the people trying to tell me how to use certificates? They may be gods and networking, but they blow chunks with security. GTFO my lawn, whippersnappers, and stop chasing dreams you read in CSO magazine or wherever else you get your crappy security 411. And stop trying to demonize self-signed certs, which I guarantee you are far more numerous and far more useful that crap they try to sell you at Verisign et al*.<\/p>\n

God, certificates suck.<\/p>\n

\"Thanks<\/a><\/p>\n

* In this case nothing against Verisign, it’s just the entire rotten group of certificate authorities out there.<\/p>\n","protected":false},"excerpt":{"rendered":"

npm is the defacto package manager for the node.js javascript network programming environment thingee. The folks who make npm have taken a\u00a0security leap: npm no longer supports its self-signed certificates Ah, they build the bastions of light and goodness, protecting us from the sins of the masses by standing tall. So… how do you install […]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[260,19,4,6,87],"tags":[227,129,342,318,285,284],"class_list":["post-1032","post","type-post","status-publish","format-standard","hentry","category-crypto","category-philosophy","category-security","category-tech","category-web","tag-bullshit","tag-certs","tag-crypto","tag-security","tag-signed","tag-unsigned"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1032","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1032"}],"version-history":[{"count":3,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1032\/revisions"}],"predecessor-version":[{"id":1035,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1032\/revisions\/1035"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1032"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1032"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1032"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}