Page MenuHomePhabricator

Fix geoip updaters for new MaxMind hashed keys by 2019-08-15
Open, NormalPublic0 Story Points

Description

TL;DR - MaxMind sent us an email, and they're changing how their license keys work for pulling database updates, and they've flagged our account as one that's still using an older version of the updater program itself, which is not compatible with these changes. We need to look into this and update our updaters across our infrastructure before 2019-08-15. There's some refs to this in SRE's puppet repo in modules/geoip, I'm not sure if there's also other updaters being run for e.g. Analytics using the same keys that aren't driven by that puppetization.

MaxMind
Dear Customer,
Soon after August 15, 2019, we will be hashing license keys to enhance the security of MaxMind accounts. However, because you are using an older version of our GeoIP Update program, we are unable to provide this security feature for you. We recommend upgrading your GeoIP Update to our latest release and generating a new license key by following the steps below.
Upgrade your GeoIP Update.
Generate a new license key to use with GeoIP Update.
Make sure to copy down your new license key as it will not be available in full after the initial creation.
If you lose your license key, you can generate a new one on that same page. The newly generated license key will be shown to you in full only once for you to copy it down for safe keeping.
If you have any questions, please do not hesitate to contact us at support@maxmind.com.
Thank you,
MaxMind team

Event Timeline

BBlack triaged this task as Normal priority.Jul 19 2019, 5:22 PM
BBlack created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 19 2019, 5:22 PM
faidon added a subscriber: faidon.Jul 20 2019, 3:34 AM

Note that they do not say that we will stop getting updates but merely that we won't be able to benefit from this "security feature". It does sound scary on a first read, though -- I got confused myself.

We use the v2.5.0 backport of geoipupdate on stretch systems and v3.1.1 on buster. There is a new upstream, v4.0.x, that is a rewrite from C to Go, but that is not yet packaged in Debian (note that I am the Debian maintainer for geoipupdate).

I checked both the git tip of the C and the Go versions and I found no references to any sort of hashing - both seem to use HTTP Basic Auth:

curl_easy_setopt(curl, CURLOPT_USERNAME, account_id);
curl_easy_setopt(curl, CURLOPT_PASSWORD, gu->license.license_key);
if config.AccountID != 0 {
        req.SetBasicAuth(fmt.Sprintf("%d", config.AccountID), config.LicenseKey)
}

I also looked for other branches, searched their documentation, searched at maxmind.com, etc. and found no references of this whatsoever. Perhaps this is for an upcoming release that they haven't released yet?

Also: the server supports HTTPS (and geoipupdate defaults to it), so I'm not sure how the hashing of license keys is going to help with anything...

ema moved this task from Triage to General on the Traffic board.Jul 22 2019, 9:38 AM
fdans moved this task from Incoming to Radar on the Analytics board.Jul 22 2019, 4:05 PM

@faidon: we don't have any updaters on our end, we just move the databases around and keep backups for historical use. But let us know if you run into any problems.

jbond added a subscriber: jbond.Aug 14 2019, 4:48 PM