Verifying checksum of update-resolv-conf.sh #63
Comments
|
Is |
|
The file is downloaded from There is no reason to download a script that is later executed as root without verifying if the script is still the same. This makes security audits of |
|
If an attacker has access to |
|
... Right, but I would download But downloading a file without checking the checksum breaks this assumption. Right I could just ship |
|
It would be easier to download |
|
Yeah, that's actually what happens. It only downloads that file if the requirement isn't fulfilled and you explicitly tell the program to download and execute that file. So as long as you don't say yes to the prompt, you are good with checking once. |
|
Its not only about only about me, its for every user how can I tell someone to use this script if I don't know what its going to execute based on what the user chooses? Not verifying the checksum breaks reproducibility and any review of it is useless. Just because a user can decide if it gets installed or not doesn't mean its good practice. Other than this, the prompt says I don't think we have to continue discussing this, I think this should be fixed. |
|
And what about the program itself? I mean, you download that as well without verifying any checksum. |
|
I reviewed it, I can distribute the file myself or download it again and compare the checksum with the code that I reviewed. Do we really have to discuss that downloading files that are executed as root without checking a checksum is not the greatest idea? Especially if you consider that its a software related to privacy, make it as safe as possible, there is NO REASON TO NOT VERIFY THE CHECKSUM. |
Except that I'm pretty sure it literally doesn't do anything in this instance. But again, maybe I'm misunderstanding the issue--in which case, feel free to ignore me. |
|
I read the script once, download the second script check the checksum, I successfully reviewed both and I know until the main script updates the checksum I can trust both. As long as there is no checksum check I can't tell anyone that its safe to use, because I don't know what file its going to download. |
|
The only benefit I see is when you really download the file once, distribute it yourself across the machines and never download another version and never update it. And I would say 99% of users won't do it this way. And if you download the script from github before installation, there is no security benefit from it. You could add the check yourself for your version, but overall it doesn't give a benefit to most users. And if the script gets updated, you have to take the extra step to update the checksum in the other file. |
|
There is no reason to verify checksums of files that are downloaded and executed as root. There is absolutely no reason to worry. IT WAS JUST A PRANK!11 APRILS FOOLS HEHEHEHE!!1
Got you, right lets add an update mechanism to
|
|
Hi everyone The ideas that came up to me to define the risk model is:
On the other hand, if Github is compromised, you as a user will be compromised too eventually using any of the packages that uses Github you use in your daily life. Please put this as my personal thought (not ProtonMail's thoughts) to avoid confusion. I read an article recently about how everything is centralized on Github, but can't find a link to it.
|
|
Those are the discussions I like. Constructive and based on arguments. /s
I've never said that. But there won't be a benefit from verifying the checksum within the script. If the file is malicious, this means either ProtonVPN's github was hacked or ProtonVPN themselves turned malicious. In both scenarios, they could change the main script and attack you with that already (because that won't be verified). I really don't see the security benefit from automatically checking the file. |
|
@mazen160 What if someones account with push access to https://github.com/ProtonVPN/scripts gets compromised? @Rafficer yes sorry, but its getting funny. What is the reason to not verify the checksum? You can still have an genuine "main script" which downloads the compromised one. What is the reason that the OpenVPN hook script is "updatable" without checking a checksum, why is the main script not updatable? I still don't see why you are AGAINST adding a checksum check?
You download the main script proactively, if you don't read it and run it you are at fault, but why is it necessary to download another script without checking the checksum. |
|
@Duncaen We do put extra security measures to accounts with access to data/code such as https://github.com/ProtonVPN/scripts. Although everything should be possible in our minds, I highly don't expect this to occur. In all cases, we should create hypothetical scenarios and build security measures to protect against it. I'm adding the check tonight. |
Thank you, that is the first reasonable reply. There is no reason to not do this if the scenario exists and there is a simple way to avoid it. Thanks, have a nice weekend. |
|
If ProtonVPN GitHub account is compromised this repository would be compromised as well. It implies that even if The problem here is not your concern, but the false sense of security that your solution implies. It simply doesn't address the problem in the real world. |
|
Yep. I'm not against it, but I just don't see the benefit, but I see the downside in terms of maintenance cost (given that the script would change, which doesn't happen anyway) and false sense of security. The script checks if resolv-conf is installed with the requirement check. In 99% of the cases, you run into issues there when you run the script for the first time and that's also when resolv-conf.sh will be downloaded. After that, never again. So in most (and it's by far the most) the script is downloaded from github and executed as root, without any kind of check, then it checks if resolv-conf is legit... At this point, the PC is already hijacked if ProtonVPN's github account got hacked. That is why I don't see what it adds. The only benefit is when you download the script once, check if it's done correct and from there on never download it on any machine again ever. And also don't update it without checking the full code every time before doing so. And I don't think we have to debate how many users will go through that procedure. |
|
Right @xilopaint, the self updating mechanism is as dangerous as downloading the second script, but at least I have to initiate the update manually. I personally would tag releases and if possible remove the update mechanism. But lets make small steps, It took 20 replies to get one checksum lol... |
|
I agree with all the ideas mentioned here. The added value is quite low, as it's relatively almost impossible (we should not say impossible to any scenario) to execute the scenario. However, an added security addition that doesn't break functionality does not harm :) |
|
Commit: 434804c |
It's not how security works. The approach should not to be making a step and think about the next after that. We should think on the whole scenario before moving forward. |
|
The only issue I see now is that the file gets saved as /etc/openvpn/update-resolv-conf anyway, but not executable. This makes it impossible to connect for the user as the program just checks if that file exists and then leaves it as it is. I'm going to make a fix tomorrow for that if nobody comes forth. |
|
The only issue to me is that this file is completely useless for macOS and it keeps being installed. 😂 |
|
@Rafficer Done ;) @xilopaint I'm doing something now for this part :) |
|
Thanks everyone for the awesome discussion! |
I am actually in favor of tagging releases. |
|
@njfox Yup, this will change soon. Once we finish Issue:65, and implement some of the features in the roadmap, this will be done 👍 |
This is the main reason why I'm not in favor of tagging releases in this moment. |
Please consider to add a checksum for the
update-resolv-conf.shscript that is downloaded.Without verifying the checksum there is no way to verify if
protovpn-cliis safe, because there is no definite state. The downloaded script can change at any time and start to do something malicious.The text was updated successfully, but these errors were encountered: