How could we make it possible to verify that what we download is what the developers wrote?  Using github is one way, but it would be nice if this was possible for releases too.  I mean, it's quite scary running code downloaded from the internet already - we have to trust the people that made the release - but we could at least eliminate adfly or a MITM messing with the jars.

 

I would suggest moving the download page to https and providing embedded md5 and sha1 sums.  How do we do this?

 

HTTPS does nothing.

Embedded md5s do nothing.

The new downloads page Overmind is working on however will list the md5s/sha1s for downloads how this must be made clear that this is for corruption detection only as those md5s are only as good as the site they come from.

Only thing you can really do is have a trusted source and only ever use that source. If that source also proides md5s then yay, but that's not security.

 

Another possibility we are trying to push modders twards i SIGNING THEIR BUILT JARS. And when that becomes more popular I plan on doing a very basic USER CONTROLLED keystore/trust thing. Not sure how to work it out yet but thats the plan.

 

TLDR: Only download from trusted sources.

I am talking about Forge itself, not individual mods.

 

> TLDR: Only download from trusted sources.

 

That's the point - typing minecraftforge.net into the url bar does not guarantee that you're looking at the real minecraftforge.net.  You hope it does, but it's possible to spoof if you've got low enough latency to the client (or if you pwn a gateway server).

 

So that's the problem: how do I get a server that I can trust?  Even https with a self-signed cert would be *something*, because I could verify that minecraftforge.net is the same minecraftforge.net that I visited last time.

 

If you have been compromised at that level you're fucked anyways and downloading mods is the LEAST of your concerns, so It's not really a valid argument.

Either way when it comes to that there is no countermeasure around it.

Self-signed certs can be forged, pages can be injected, files can be modified.

There isn't anything you can do, and if you do have ideas explain them and I could probably come through and explain to you why they are not valid.

If you have been compromised at that level you're fucked anyways and downloading mods is the LEAST of your concerns, so It's not really a valid argument.

 

Not at all.  These are the assumptions that were made when designing HTTPS.

 

Self-signed certs can be forged, pages can be injected, files can be modified.

 

Well, ideally you wouldn't use a self-signed certificate, but like I said, it's better than what you have at the moment.  Remember that me having a copy of your certificate does not allow me to impersonate you: although it may verify, without your private key (which you do not give out) there's no way for me to complete the TLS handshake.

 

Pages cannot be usefully injected when they use HTTPS.  Unless you're from the future and know about something those of us in the industry don't, the only thing you can inject into a TLS connection without having the session key is garbage.

 

There isn't anything you can do, and if you do have ideas explain them and I could probably come through and explain to you why they are not valid.

 

I would enjoy you splaining to me how the mechanism we've been using to secure the internet for decades now does not work.

Short answer, Humans. You don't have to have my cert to make it appear that you have my cert. TLS means nothing when you control one of the end points. Gateways can be endpoints for all the end user cares. The end user just sees a fancy lock icon on there screen and thinks they are safe. Or beyond that most end users don't even notice the lock at all.

 

I'm not going to get into a argument over the fundamentals of security with you. The fact is that Forge is not a security authority and as such we do not have the ability to give or force modders to use signatures nor do we have the authority to act as a root cert for mods. It's not our place.

 

This is a stupid argument, we have the best we can do on our end to allow you to attempt to verify the file integrity when downloading. For SECURITY you're on your own. Only download from trusted sources.

Thanks for your reply.

 

Short answer, Humans. You don't have to have my cert to make it appear that you have my cert.

 

This is both true and meaningless.  I can't spoof your cert *and* have the trust chain check out unless I've directly copied it (including your public key).  And if I've directly copied it, I can't use it to immitate you, because I don't have your private key.  You seem to have a fundamental misunderstanding of how x509 certs work and I don't seem to be able to help you there, so maybe you can attempt the attack on your bank yourself sometime.

 

TLS means nothing when you control one of the end points. Gateways can be endpoints for all the end user cares.

 

If you have a theoretical MITM on TLS using a Gateway, I'd love to hear about it.  The one recent example of this involved first installing a malcious CA on the client machine.  In other words, the client (or OEM) installed the vulnerability themselves.  It's not something that can be done to just anyone.

 

The end user just sees a fancy lock icon on there screen and thinks they are safe. Or beyond that most end users don't even notice the lock at all.

 

Non-sequitur.  Just because this guy

exists, doesn't mean that the rest of us should have to download code that we're going to execute over an untrusted connection.

 

Some people can't read an URL, that's true.  Chrome does a much better job there than the other browsers at helping the user.  But the demographic that are installing forge themselves likely can.

 

I'm not going to get into a argument over the fundamentals of security with you. The fact is that Forge is not a security authority and as such we do not have the ability to give or force modders to use signatures nor do we have the authority to act as a root cert for mods. It's not our place.

 

I didn't ask you to do anything about other modders.  I asked you how we can get the official Forge download to be secure.  THIS page:

 

http://files.minecraftforge.net/

 

I understand you don't control the content provider (ad.fly), which is why I suggested file hashes, but that is less than ideal.

 

This is a stupid argument, we have the best we can do on our end to allow you to attempt to verify the file integrity when downloading. For SECURITY you're on your own. Only download from trusted sources.

 

The best you could do is HTTPS*, and it's just not that hard.

 

I'm not entirely sure why I'm the first to bring this up to you - I suppose other technical users are just using github.

There is nothing that needs to be secured on our site. No private information is transferred and if you have a compromised gateway you're screwed beyond that.

If you want to you can grab the md5s from our site as it's a normal maven repo, so {URL}.md5 will give you the md5 of most of the files.

But again, think about it,

Legit Website: "Here is your MD5: 12345"

Malicious Website: "Here is your MD5: 54321"

For all intents an purposes, and for any user who would actually have the possibility of downloading from a malicious site wouldn't know what a MD5 is.

Beyond that For Forge you can compile it yourself if you don't trust the download source.

And enabling HTTPS is not a simple task. And not a free task.  Beefing up our servers, spending thousands on a cert, and making pages lag for end users all in the non-existent case where they are compromised on a level in which none of our precautions could ever have any effect is not worth it.

I've been doing network security for 10 years.

Without going into a e-peen measuring contest or flame war just accept that I know what I am talking about.

 

 

We're going in circles here, the fact that this site is trustworthy and you trust the project is enough security as needed. Any more is false security.

If you're concerned about malicious code then don't download mods, you're far more likely to have issues from the millions of random sites that you get the actual mods from.

So Closing this as i'm tired of this argument. Please don't presume that you have to explain basic network security/management to me.