Page MenuHomePhabricator
Create Task
Maniphest T202033

Feedback Appreciated: Use of HTTP Without TLS
Closed, ResolvedPublic
Actions

Description

**Greetings,

I am a security researcher, who is looking for security smells in Puppet scripts. I found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). According to the Common Weakness Enumeration organization this is a security weakness (https://cwe.mitre.org/data/definitions/319.html). I was wondering why HTTP is used? Is it because of lack of tool support?

I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol. Maybe it is due to dependency on a resource that uses HTTP?

Any feedback is appreciated. **

I noticed use of HTTP without TLS in the following scripts:

P7471 T202033 - Use of HTTP Without TLS
1~/mariadb/manifests/packages.pp
2~/cdh4/manifests/oozie.pp
3~/puppet/modules/openstack/manifests/clientrepo.pp
4~/puppet/modules/openstack/manifests/cloudrepo.pp
5~/puppet/modules/openstack/manifests/designate/service.pp
6~/puppet/modules/package_builder/manifests/pbuilder_hook.pp
7~/puppet/modules/package_builder/manifests/pbuilder_base.pp
8~/puppet/modules/package_builder/manifests/environments.pp
9~/puppet/modules/role/manifests/labs/prometheus.pp
10~/puppet/modules/role/manifests/logstash/elasticsearch.pp
11~/puppet/modules/role/manifests/toollabs/elasticsearch.pp
12~/puppet/modules/role/manifests/prometheus/services.pp
13~/puppet/modules/role/manifests/prometheus/global.pp
14~/puppet/modules/role/manifests/prometheus/beta.pp
15~/puppet/modules/role/manifests/prometheus/tools.pp
16~/puppet/modules/role/manifests/prometheus/ops.pp
17~/puppet/modules/role/manifests/prometheus/analytics.pp
18~/puppet/modules/role/manifests/prometheus/labs_project.pp
19~/puppet/modules/confluent/manifests/kafka/common.pp
20~/puppet/modules/docker/manifests/baseimages.pp
21~/puppet/modules/eventlogging/manifests/service/service.pp
22~/puppet/modules/requesttracker/manifests/config.pp
23~/puppet/modules/publichtml/manifests/init.pp
24~/puppet/modules/burrow/manifests/check_consumer_lag.pp
25~/puppet/modules/toollabs/manifests/mono_external_repo.pp
26~/puppet/modules/lvs/manifests/monitor_services.pp
27~/puppet/modules/librenms/manifests/web.pp
28~/puppet/modules/varnish/manifests/instance.pp
29~/puppet/modules/profile/manifests/elasticsearch.pp
30~/puppet/modules/profile/manifests/eventstreams.pp
31~/puppet/modules/profile/manifests/swap.pp
32~/puppet/modules/profile/manifests/statsd.pp
33~/puppet/modules/profile/manifests/maps/alerts.pp
34~/puppet/modules/profile/manifests/openstack/base/glance.pp
35~/puppet/modules/profile/manifests/openstack/base/nodepool/service.pp
36~/puppet/modules/profile/manifests/openstack/base/pdns/recursor/service.pp
37~/puppet/modules/profile/manifests/openstack/base/nova/common/nova_network.pp
38~/puppet/modules/profile/manifests/docker/engine.pp
39~/puppet/modules/profile/manifests/docker/registry/swift.pp
40~/puppet/modules/profile/manifests/ci/docker.pp
41~/puppet/modules/profile/manifests/zookeeper/server.pp
42~/puppet/modules/profile/manifests/cdh/apt.pp
43~/puppet/modules/profile/manifests/kafka/burrow.pp
44~/puppet/modules/profile/manifests/kafka/broker/monitoring.pp
45~/puppet/modules/profile/manifests/kafka/mirror/alerts.pp
46~/puppet/modules/profile/manifests/hadoop/worker.pp
47~/puppet/modules/profile/manifests/hadoop/master.pp
48~/puppet/modules/profile/manifests/hadoop/master/standby.pp
49~/puppet/modules/profile/manifests/etcd/replication.pp
50~/puppet/modules/profile/manifests/puppetmaster/common.pp
51~/puppet/modules/profile/manifests/prometheus/alerts.pp
52~/puppet/modules/profile/manifests/prometheus/k8s.pp
53~/puppet/modules/profile/manifests/prometheus/k8s/staging.pp
54~/puppet/modules/profile/manifests/kubernetes/master.pp
55~/puppet/modules/profile/manifests/kubernetes/node.pp
56~/puppet/modules/profile/manifests/mediawiki/hhvm.pp
57~/puppet/modules/profile/manifests/mediawiki/videoscaler.pp
58~/puppet/modules/cassandra/manifests/init.pp
59~/puppet/modules/apt/manifests/init.pp
60~/puppet/modules/mysql/manifests/server/package.pp
61~/puppet/modules/parsoid/manifests/init.pp
62~/puppet/modules/etcd/manifests/init.pp
63~/puppet/modules/puppetmaster/manifests/puppetdb.pp
64~/puppet/modules/puppetmaster/manifests/geoip.pp
65~/puppet/modules/archiva/manifests/proxy.pp
66~/puppet/modules/noc/manifests/init.pp
67~/puppet/modules/pybal/manifests/monitoring.pp
68~/puppet/modules/prometheus/manifests/apache_exporter.pp
69~/puppet/modules/prometheus/manifests/server.pp
70~/puppet/modules/prometheus/manifests/burrow_exporter.pp
71~/puppet/modules/jenkins/manifests/init.pp
72~/puppet/modules/service/manifests/configuration.pp
73~/puppet/modules/service/manifests/uwsgi.pp
74~/puppet/modules/service/manifests/node.pp
75~/puppet/modules/monitoring/manifests/alerts/http_availability.pp
76~/puppet/modules/mediawiki_singlenode/manifests/init.pp
77~/puppet/modules/phabricator/manifests/vcs.pp
78~/puppet/modules/phabricator/manifests/init.pp
79~/puppet/modules/varnishkafka/manifests/instance.pp
80~/puppet/modules/graphite/manifests/web.pp
81~/puppet/modules/apache/manifests/monitoring.pp
82~/puppet/modules/base/manifests/monitoring/host.pp
83~/puppet/modules/wdqs/manifests/monitor/services.pp
84~/puppet/modules/contint/manifests/packages/php.pp
85~/mesos/manifests/repo.pp
86~/vagrant/puppet/modules/changeprop/manifests/init.pp
87~/vagrant/puppet/modules/role/manifests/raita.pp
88~/vagrant/puppet/modules/role/manifests/kartotherian.pp
89~/vagrant/puppet/modules/role/manifests/mathoid.pp
90~/vagrant/puppet/modules/role/manifests/centralauth.pp
91~/vagrant/puppet/modules/role/manifests/globaluserpage.pp
92~/vagrant/puppet/modules/role/manifests/wikibase_repo.pp
93~/vagrant/puppet/modules/role/manifests/swift.pp
94~/vagrant/puppet/modules/role/manifests/ores_service.pp
95~/vagrant/puppet/modules/role/manifests/eventbus.pp
96~/vagrant/puppet/modules/role/manifests/scholarships.pp
97~/vagrant/puppet/modules/role/manifests/varnish.pp
98~/vagrant/puppet/modules/role/manifests/wikidata.pp
99~/vagrant/puppet/modules/browsertests/manifests/init.pp
100~/vagrant/puppet/modules/crm/manifests/init.pp
101~/vagrant/puppet/modules/varnish/manifests/init.pp
102~/vagrant/puppet/modules/thumbor/manifests/init.pp
103~/vagrant/puppet/modules/kafka/manifests/repository.pp
104~/vagrant/puppet/modules/mediawiki/manifests/psysh.pp
105~/vagrant/puppet/modules/mediawiki/manifests/wiki.pp
106~/vagrant/puppet/modules/elasticsearch/manifests/init.pp
107~/vagrant/puppet/modules/elasticsearch/manifests/repository.pp
108~/cdh/manifests/oozie.pp

Details

SubjectRepoBranchLines +/-
replace a couple http links with https where possibleoperations/puppetproduction+7 -7
Customize query in gerrit

Related Objects

Event Timeline

Akondrahman created this task.Aug 16 2018, 1:54 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 16 2018, 1:54 AM
Legoktm removed Akondrahman as the assignee of this task.Aug 16 2018, 2:50 AM
Legoktm added a project: SRE.
Legoktm subscribed.

I'm not sure what kind of a useful answer you're going to get...I suspect each case has a different answer/reason. For ~/vagrant, it's used as a development tool on individual developer's laptops, so connecting to local services over HTTP should be fine.

Aklapper added a comment.Aug 16 2018, 7:04 AM

Proposing to close this task as invalid as it's vague and not actionable. Please also read and understand T201576#4490641.

Dropping automatically created lists of http links without any further investigation does not help anyone.

I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol.

That sounds like a question to ask on Freenode IRC or on the wikitech-l mailing list. I'd also highly recommend asking there before filing more of such tasks.

Dzahn subscribed.Aug 17 2018, 7:09 PM

It's true that it's probably different for each case, but since we have to go through it case-by-case, having a list like this to check-off is actually useful to me. Sending it to mailing list would probably result in "we need to go through them one-by one, let's make a ticket".

Dzahn added a comment.Aug 17 2018, 7:11 PM

Also having the relevant full target URLs used in these files and sorting / uniq'ing them would be useful. One common example is use of the proxy "http://url-downloader." .

gerritbot subscribed.Aug 21 2018, 5:56 PM

Change 453541 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] replace a couple http links with https where possible

https://gerrit.wikimedia.org/r/453541

gerritbot added a project: Patch-For-Review.Aug 21 2018, 5:56 PM
gerritbot added a comment.Aug 21 2018, 5:58 PM

Change 453541 merged by Dzahn:
[operations/puppet@production] replace a couple http links with https where possible

https://gerrit.wikimedia.org/r/453541

Dzahn added a comment.Aug 21 2018, 6:01 PM

So yea.. i'm really not sure what we should do with this ticket. It might become a bit spammy to go through all of this and keep linking it. Might be better for an Etherpad or a wiki page with checkboxes.

That being said.. i did merge that one thing above with some easy ones that were low-hanging fruit.. http links inside comments that had working https counterparts nowadays.

Dzahn triaged this task as Low priority.Aug 21 2018, 6:02 PM
Reedy renamed this task from Feedback Appreciatted: Use of HTTP Without TLS to Feedback Appreciated: Use of HTTP Without TLS .Aug 21 2018, 6:03 PM
Reedy removed a project: Patch-For-Review.
Dzahn updated the task description. (Show Details)Aug 21 2018, 6:13 PM
Dzahn added a comment.Aug 21 2018, 6:18 PM

@Akondrahman I moved your list into a pastebin so that it can be edited without causing a notifcation on this ticket each time. I edited your task description to include it from there.

If you want to update the list, and add more details, you can do it on P7471. I have fixed some of them that were easy but a lot of them are also false positives for various reasons. Some are legit.

I thought this might be the best compromise between rejecting the ticket and spamming Phab notifications.

Akondrahman added a comment.Aug 21 2018, 10:28 PM

Excellent. Thanks for your feedback, appreciate it.

  • Akond
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 10:15 PM
Dzahn closed this task as Resolved.May 10 2023, 8:12 PM
Dzahn claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL