Rationale:
Reduces attack surface on kernel devs opening the links for MITM
as HTTPS traffic is much harder to manipulate.
Deterministic algorithm:
For each file:
If not .svg:
For each line:
If doesn't contain `\bxmlns\b`:
For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`:
If both the HTTP and HTTPS versions
return 200 OK and serve the same content:
Replace HTTP with HTTPS.
Signed-off-by: Alexander A. Klimov <[email protected]>
---
Continuing my work started at 93431e0607e5.
See also: git log --oneline '--author=Alexander A. Klimov <[email protected]>' v5.7..master
(Actually letting a shell for loop submit all this stuff for me.)
If there are any URLs to be removed completely or at least not HTTPSified:
Just clearly say so and I'll *undo my change*.
See also: https://lkml.org/lkml/2020/6/27/64
If there are any valid, but yet not changed URLs:
See: https://lkml.org/lkml/2020/6/26/837
If you apply the patch, please let me know.
drivers/infiniband/ulp/srpt/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
index 4b5d9b792cfa..f63b34d9ae32 100644
--- a/drivers/infiniband/ulp/srpt/Kconfig
+++ b/drivers/infiniband/ulp/srpt/Kconfig
@@ -10,4 +10,4 @@ config INFINIBAND_SRPT
that supports the RDMA protocol. Currently the RDMA protocol is
supported by InfiniBand and by iWarp network hardware. More
information about the SRP protocol can be found on the website
- of the INCITS T10 technical committee (http://www.t10.org/).
+ of the INCITS T10 technical committee (https://www.t10.org/).
--
2.27.0
On 2020-07-09 12:48, Alexander A. Klimov wrote:
> diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
> index 4b5d9b792cfa..f63b34d9ae32 100644
> --- a/drivers/infiniband/ulp/srpt/Kconfig
> +++ b/drivers/infiniband/ulp/srpt/Kconfig
> @@ -10,4 +10,4 @@ config INFINIBAND_SRPT
> that supports the RDMA protocol. Currently the RDMA protocol is
> supported by InfiniBand and by iWarp network hardware. More
> information about the SRP protocol can be found on the website
> - of the INCITS T10 technical committee (http://www.t10.org/).
> + of the INCITS T10 technical committee (https://www.t10.org/).
It is not clear to me how modifying an URL in a Kconfig file helps to
reduce the attack surface on kernel devs?
Thanks,
Bart.
Am 10.07.20 um 16:22 schrieb Bart Van Assche:
> On 2020-07-09 12:48, Alexander A. Klimov wrote:
>> diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
>> index 4b5d9b792cfa..f63b34d9ae32 100644
>> --- a/drivers/infiniband/ulp/srpt/Kconfig
>> +++ b/drivers/infiniband/ulp/srpt/Kconfig
>> @@ -10,4 +10,4 @@ config INFINIBAND_SRPT
>> that supports the RDMA protocol. Currently the RDMA protocol is
>> supported by InfiniBand and by iWarp network hardware. More
>> information about the SRP protocol can be found on the website
>> - of the INCITS T10 technical committee (http://www.t10.org/).
>> + of the INCITS T10 technical committee (https://www.t10.org/).
>
> It is not clear to me how modifying an URL in a Kconfig file helps to
> reduce the attack surface on kernel devs?
Not on all, just on the ones who open it.
>
> Thanks,
>
> Bart.
>
>
On 2020-07-10 11:12, Alexander A. Klimov wrote:
> Am 10.07.20 um 16:22 schrieb Bart Van Assche:
>> On 2020-07-09 12:48, Alexander A. Klimov wrote:
>>> diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
>>> index 4b5d9b792cfa..f63b34d9ae32 100644
>>> --- a/drivers/infiniband/ulp/srpt/Kconfig
>>> +++ b/drivers/infiniband/ulp/srpt/Kconfig
>>> @@ -10,4 +10,4 @@ config INFINIBAND_SRPT
>>> that supports the RDMA protocol. Currently the RDMA protocol is
>>> supported by InfiniBand and by iWarp network hardware. More
>>> information about the SRP protocol can be found on the website
>>> - of the INCITS T10 technical committee (http://www.t10.org/).
>>> + of the INCITS T10 technical committee (https://www.t10.org/).
>>
>> It is not clear to me how modifying an URL in a Kconfig file helps to
>> reduce the attack surface on kernel devs?
>
> Not on all, just on the ones who open it.
Is changing every single HTTP URL in the kernel into a HTTPS URL the best
solution? Is this the only solution? Has it been considered to recommend
kernel developers who are concerned about MITM attacks to install a browser
extension like HTTPS Everywhere instead?
Thanks,
Bart.
Am 12.07.20 um 21:52 schrieb Bart Van Assche:
> On 2020-07-10 11:12, Alexander A. Klimov wrote:
>> Am 10.07.20 um 16:22 schrieb Bart Van Assche:
>>> On 2020-07-09 12:48, Alexander A. Klimov wrote:
>>>> diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
>>>> index 4b5d9b792cfa..f63b34d9ae32 100644
>>>> --- a/drivers/infiniband/ulp/srpt/Kconfig
>>>> +++ b/drivers/infiniband/ulp/srpt/Kconfig
>>>> @@ -10,4 +10,4 @@ config INFINIBAND_SRPT
>>>> that supports the RDMA protocol. Currently the RDMA protocol is
>>>> supported by InfiniBand and by iWarp network hardware. More
>>>> information about the SRP protocol can be found on the website
>>>> - of the INCITS T10 technical committee (http://www.t10.org/).
>>>> + of the INCITS T10 technical committee (https://www.t10.org/).
>>>
>>> It is not clear to me how modifying an URL in a Kconfig file helps to
>>> reduce the attack surface on kernel devs?
>>
>> Not on all, just on the ones who open it.
>
> Is changing every single HTTP URL in the kernel into a HTTPS URL the best
> solution? Is this the only solution? Has it been considered to recommend
> kernel developers who are concerned about MITM attacks to install a browser
> extension like HTTPS Everywhere instead?
I've installed that addon myself.
But IMAO it's just a workaround which is (not available to all browsers,
not installed by default in any of them and) not even 100% secure unless
you tick a particular checkbox.
Anyway the majority of maintainers and Torvalds himself agree with my
solution.
I mean, just look at
git log '--author=Alexander A. Klimov <[email protected]>' \
--oneline v5.7..master
Or (better) wait for v5.9-rc1 (and all the yet just applied patches it
will consist of) *and then* run the command.
>
> Thanks,
>
> Bart.
>
On Sun, Jul 12, 2020 at 10:15:29PM +0200, Alexander A. Klimov wrote:
>
>
> Am 12.07.20 um 21:52 schrieb Bart Van Assche:
> > On 2020-07-10 11:12, Alexander A. Klimov wrote:
> > > Am 10.07.20 um 16:22 schrieb Bart Van Assche:
> > > > On 2020-07-09 12:48, Alexander A. Klimov wrote:
> > > > > diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
> > > > > index 4b5d9b792cfa..f63b34d9ae32 100644
> > > > > +++ b/drivers/infiniband/ulp/srpt/Kconfig
> > > > > @@ -10,4 +10,4 @@ config INFINIBAND_SRPT
> > > > > that supports the RDMA protocol. Currently the RDMA protocol is
> > > > > supported by InfiniBand and by iWarp network hardware. More
> > > > > information about the SRP protocol can be found on the website
> > > > > - of the INCITS T10 technical committee (http://www.t10.org/).
> > > > > + of the INCITS T10 technical committee (https://www.t10.org/).
> > > >
> > > > It is not clear to me how modifying an URL in a Kconfig file helps to
> > > > reduce the attack surface on kernel devs?
> > >
> > > Not on all, just on the ones who open it.
> >
> > Is changing every single HTTP URL in the kernel into a HTTPS URL the best
> > solution? Is this the only solution? Has it been considered to recommend
> > kernel developers who are concerned about MITM attacks to install a browser
> > extension like HTTPS Everywhere instead?
> I've installed that addon myself.
> But IMAO it's just a workaround which is (not available to all browsers, not
> installed by default in any of them and) not even 100% secure unless you
> tick a particular checkbox.
>
> Anyway the majority of maintainers and Torvalds himself agree with my
> solution.
>
> I mean, just look at
> git log '--author=Alexander A. Klimov <[email protected]>' \
>
> Or (better) wait for v5.9-rc1 (and all the yet just applied patches it will
> consist of) *and then* run the command.
Well, if you are going to do this please send just one patch for all
of drivers/infiniband/ and include/rdma
I don't need to see it broken up any more than that
Jason
Rationale:
Reduces attack surface on kernel devs opening the links for MITM
as HTTPS traffic is much harder to manipulate.
Deterministic algorithm:
For each file:
If not .svg:
For each line:
If doesn't contain `\bxmlns\b`:
For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`:
If both the HTTP and HTTPS versions
return 200 OK and serve the same content:
Replace HTTP with HTTPS.
Signed-off-by: Alexander A. Klimov <[email protected]>
---
Just drivers/infiniband. There's nothing for include/rdma.
drivers/infiniband/ulp/iser/Kconfig | 2 +-
drivers/infiniband/ulp/srp/Kconfig | 2 +-
drivers/infiniband/ulp/srpt/Kconfig | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/ulp/iser/Kconfig b/drivers/infiniband/ulp/iser/Kconfig
index 3016a0c9a9f0..6ba73ae1291b 100644
--- a/drivers/infiniband/ulp/iser/Kconfig
+++ b/drivers/infiniband/ulp/iser/Kconfig
@@ -9,5 +9,5 @@ config INFINIBAND_ISER
that speak iSCSI over iSER over InfiniBand.
The iSER protocol is defined by IETF.
- See <http://www.ietf.org/rfc/rfc5046.txt>
+ See <https://www.ietf.org/rfc/rfc5046.txt>
and <http://members.infinibandta.org/kwspub/spec/Annex_iSER.PDF>
diff --git a/drivers/infiniband/ulp/srp/Kconfig b/drivers/infiniband/ulp/srp/Kconfig
index 67cd63d1399c..c33f4e5fa4d7 100644
--- a/drivers/infiniband/ulp/srp/Kconfig
+++ b/drivers/infiniband/ulp/srp/Kconfig
@@ -9,5 +9,5 @@ config INFINIBAND_SRP
InfiniBand.
The SRP protocol is defined by the INCITS T10 technical
- committee. See <http://www.t10.org/>.
+ committee. See <https://www.t10.org/>.
diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
index 4b5d9b792cfa..f63b34d9ae32 100644
--- a/drivers/infiniband/ulp/srpt/Kconfig
+++ b/drivers/infiniband/ulp/srpt/Kconfig
@@ -10,4 +10,4 @@ config INFINIBAND_SRPT
that supports the RDMA protocol. Currently the RDMA protocol is
supported by InfiniBand and by iWarp network hardware. More
information about the SRP protocol can be found on the website
- of the INCITS T10 technical committee (http://www.t10.org/).
+ of the INCITS T10 technical committee (https://www.t10.org/).
--
2.27.0