Requiring 2FA to Publish to Crates.io

kornel · 2018-07-12T20:10:39.768Z

withoutboats:

Where do you imagine a 2FA being introduced by crates.io?

When publishing new code. Every time cargo publish is run.
When adding or removing owners. cargo owner and actions on the website (because otherwise attacker could add a new owner with 2FA they control, and publish code).

The threat here is that a virus running on developer’s machine can easily steal Cargo’s CLI login token and crates.io cookies. The goal is to make these easy-to-steal tokens not sufficient for distribution of new code to users of the developer’s crates.

GitHub’s 2FA here is a red herring. It can’t be used, and it’s not sufficient to protect CLI login tokens.

Imagine worst case scenario of a worm:

Developer of some crate gets infected with malware. The malware steals ~/.cargo/credentials.
The token from the credentials file is used to publish new versions of all of developer’s crates with a new build.rs that contains the credential-stealing malware.
Other developers run cargo update; cargo build, and end up running the new infected build.rs
GOTO 1

Such worm could quickly spread throughout the crates.io ecosystem.

kornel · 2018-07-12T20:28:18.531Z

insanitybit:

Your v0.0.1 toy project is no different from someone else’s v1.0.0 project - they both have the exact same threat model for consumers.

I argue that the actual threat here is very different.

First release by definition is not already installed on other people’s machines. It’s not trusted by anyone yet. Infection is slow, since it requires intentional, manual action by users, and users are aware of what they’re installing.
Update of an existing project that is used as dependency by others gets pulled automatically on cargo update, and new builds or installs of crates that depend on the infected project.

If I publish new-toy-project 0.0.1 now, almost nobody will be affected. If I publish infected libc 0.2.43 now, the whole Rust ecosystem will crumble.

The mechanism may be the same, but the impact is very different.

withoutboats · 2018-07-12T20:31:30.058Z

insanitybit:

I think the default should be 2FA, and opting out should be carefully considered as a feature. Your v0.0.1 toy project is no different from someone else’s v1.0.0 project - they both have the exact same threat model for consumers.

I’m also surprised by this claim. Anyone can upload to crates.io, is my v0.0.1 malware no different from sone else’s v1.0.0 project? Users need to make individual trust decisions about the crates they use; if they want to depend only on crates by authors who execute certain security practices, that’s their decision to make.

insanitybit · 2018-07-12T22:41:45.458Z

withoutboats:

Where do you imagine a 2FA being introduced by crates.io? cargo login ? cargo publish ? Maybe there’s a way we could make the GitHub OAuth require a 2FA? The proposal is not clear to me.

On cargo publish. The assumption here is that the token has been compromised (as in the attack disclosed today).

You would run cargo publish, you would 2FA, the publish would succeed.

Maybe other APIs? I have not looked at cargo’s API - it may require coverage elsewhere. Publish seems sufficient, offhand.

kornel:

First release by definition is not already installed on other people’s machines. It’s not trusted by anyone yet. Infection is slow, since it requires intentional, manual action by users, and users are aware of what they’re installing.

I agree with you that scope is different, but I don’t think that’s very compelling.

withoutboats:

Anyone can upload to crates.io, is my v0.0.1 malware no different from sone else’s v1.0.0 project?

Yes, absolutely. These are two completely different attackers, and two completely different attacks.

One is social engineering a developer into downloading malware. One is attacking an existing package, which you may have already vetted, or may be from someone from trust, etc. Totally different.

But this is very ‘in the weeds’ - is the point that we should not make it mandatory because it will add friction to first publishes? The friction will exist with all publishes, regardless of version. The first time, they will have to set up 2FA - that is a shame, but an extremely common workflow.

withoutboats:

if they want to depend only on crates by authors who execute certain security practices, that’s their decision to make

Cargo can significantly impact these security practices.

softprops · 2018-07-12T23:02:51.602Z

I think this would be a useful opt in feature with maybe some way to visualize 2fa verified artifacts in crate.ios ui.

I would strongly think about the implications of making it the default/a requirement.

Sonotype is one example of a relatively secure system that has a notoriously high barrier of entry for someone that just wants to share their work with the world. 2fa is a step forward from explaining pgp keys to someone new to software development but it’s still a notable barrier of entry.

Consider the impact on automation. Continuous delivery and deployment a requirement for some. Automating these processes is still useful even when not required. 2fa complicates the ability to automate these processes.

Ixrec · 2018-07-12T23:35:50.382Z

I’m also not entirely clear what’s being proposed here. But opt-in security features sound great. Exposing what crates use those security features is probably a good thing.

It’d be especially cool if, whenever one of your crates got X downloads or Y transitive dependents, crates.io sent you a congratulatory email that also linked to things like “how to set up 2FA” and Rust Bus and whatever else the community feels that “successful” crate authors ought to know about and consider using.

The big risk is in demonizing* crates that don’t use 2FA such that we end up harming the ecosystem instead of making it more secure. For example:

Crate foo uses 2FA. Some company decides they only want “secure”/2FA-using dependencies. foo adds a dependency on bar that does not use 2FA. foo gets a complaint because suddenly this is considered a breaking change.
Crate abc decides they only want “secure” dependencies. But they really want to use def. So abc decides to copy paste all of def's code into a new abc-def crate that they can 2FA-publish. Or worse, “vendor” def's code by copy-pasting it directly into abc.
crates.io actually does enable this by default. Many crates decide 2FA isn’t worth the hassle, and those crates remain github-only. Then they get a complaint that they aren’t on crates.io, or someone forks/vendors them just to work around that…

Any security proposal that makes these scenarios plausible would be causing more harm than good in my opinion. So until we get to the point where 2FA is as easy for people to deal with as making a Github/crates.io account in the first place, I’d rather not require it.

*I use this particular word because I see significant parallels to this old thread and I happen to agree with nrc’s response to it

insanitybit · 2018-07-13T01:10:09.653Z

softprops:

Consider the impact on automation. Continuous delivery and deployment a requirement for some. Automating these processes is still useful even when not required. 2fa complicates the ability to automate these processes.

I called automation out in my initial post - coming up with a viable workflow is, of course, necessary. I proposed an off-the-cuff solution to this, where you have an ‘opt out’ key that lives on CI.

I don’t think this feature is really worth implementing opt-in. I wouldn’t be against it, but I wouldn’t care or consider it a win.

Opt out would be acceptable, though I’d want something like a ‘reminder’ for the devs to reenable it.

I dislike the idea of relying on crate badges for this (edit: as in, badges are not even a viable option as they expose sensitive account information). It should just be safer.

Ixrec:

I’m also not entirely clear what’s being proposed here.

Which part?

When you call ‘cargo publish’ it requires a second auth.

This directly prevents the issue of stolen tokens. We have seen this issue today with npm.

Ixrec:

But opt-in security features sound great. Exposing what crates use those security features is probably a good thing.

Opt in would have been mostly useless in this situation (the attack I linked). Enough people would not have done it, and the scope of the attack was large enough (an extremely popular package was compromised), that the attacker likely would have had credentials for a non MFA’d account.

It would be useful to have it for an attacker who only managed to compromise one, or a small number, of tokens. However, I still feel that opt-out is the clear choice.

2FA is an extremely common practice at this point. Anyone pushing code to crates.io is very, very likely to have interacted with it at some point. I do not feel that it adds significant friction to someone adding their first rust crate. I feel that it adds a completely manageable amount of friction to a CI build (having CI secrets is a completely supported, well established concept).

2FA is a lightweight approach, does not require a ton of complexity, has low impact on standard workflows, and could be rolled out incrementally.

So, to address your points individually…

Ixrec:

Crate foo uses 2FA. Some company decides they only want “secure”/2FA-using dependencies. foo adds a dependency on bar that does not use 2FA. foo gets a complaint because suddenly this is considered a breaking change.

I do not feel that ‘badging’ is the way to go anyways. I feel that opt-out or mandatory is the better approach here. I strongly feel that it should never be public whether someone’s account has 2FA on it - that would be a disaster, as attackers can cut down to exactly who to target. That is simply not viable.

Ixrec:

Crate abc decides they only want “secure” dependencies. But they really want to use def . So abc decides to copy paste all of def 's code into a new abc-def crate that they can 2FA-publish. Or worse, “vendor” def 's code by copy-pasting it directly into abc .

I address this bit above - no tags, no badges. They make us less safe.

Ixrec:

crates.io actually does enable this by default. Many crates decide 2FA isn’t worth the hassle, and those crates remain github-only. Then they get a complaint that they aren’t on crates.io, or someone forks/vendors them just to work around that…

This is acceptable. For one thing, I strongly feel that an extreme minority of developers would reject crates.io because it requires 2FA. This is simply not realistic to me - 2FA is extremely common, especially in a developers life. Second, for those who choose not to use 2FA, good. I hope they get forked and the new maintainer uses 2FA. This is standard for other security issues.

Ixrec:

Any security proposal that makes these scenarios plausible would be causing more harm than good in my opinion.

The only scenario that is even possible is the third and I really do not feel that you’ve justified the scenario being either likely or a real problem.

insanitybit · 2018-07-13T01:17:24.182Z

To reiterate, if 2FA were mandatory, rust would be immune to the attack that took place today. There is no debate about that.

So the question is - is the impact of 2FA worth being immune to this attack?

The impact of this attack could be absolutely massive (RCE across a massive number of rust users)

The attack is realistic, clearly something attackers are investing in

2FA seems like a very good fit for this.

Off the top of my head, I do have some questions - for example, dealing with the impact on users who do not have phones or have very poor internet connections. But I don’t think these are significant barriers.

withoutboats · 2018-07-13T02:20:53.733Z

insanitybit:

To reiterate, if 2FA were mandatory, rust would be immune to the attack that took place today. There is no debate about that.

Actually, I have no idea if this is true. I haven’t seen any postmortem which explains how the attacker managed to publish a new version of eslint-scope, its entirely possible they compromised a user’s second factor as a part of this attack.

gbutler · 2018-07-13T02:24:31.274Z

I think the security and integrity of crates.io is an incredibly important thing for the Rust to be successful. Whether or not 2FA is the way forward or part of that is surely worthy of discussion.

insanitybit · 2018-07-13T02:29:51.683Z

withoutboats:

Actually, I have no idea if this is true. I haven’t seen any postmortem which explains how the attacker managed to publish a new version of eslint-scope , its entirely possible they compromised a user’s second factor as a part of this attack.

I believe they have already stated that it was password reuse on other, compromised sites. **

It is possible that 2FA was compromised (and they chose to omit this), but doubtful. Beyond that, I don’t think it’s relevant - 2FA is already “the solution” to password compromise, and it’s chosen by many, many companies.

I’m going to update my first post with something a bit more formal.

**

The maintainer whose account was compromised had reused their npm password on several other sites and did not have two-factor authentication enabled on their npm account.

ESLint - Pluggable JavaScript linter

Postmortem for Malicious Packages Published on July 12th, 2018

A pluggable and configurable linter tool for identifying and reporting on patterns in JavaScript. Maintain your code quality with ease.

insanitybit · 2018-07-13T02:32:53.285Z

I’ve updated my first post to clarify some of my points. I apologize for the rough first pass - I was at work and did not have much time.

I hope this adequately explains my position on this, and addresses some concerns that others have raised.

I appreciate the discussion so far.

withoutboats · 2018-07-13T03:03:33.009Z

I feel like it kind of seems like I’ve been stonewalling a bit, so I want to be clearer about my feelings, which are moderately pro 2FA (though I don’t see it as urgent):

I think optional 2FA is a very good idea. I’m uncertain the best way to integrate it into our existing flow.
I think login tokens should probably also expire after a certain amount of time.
I think requiring 2FA for all users is a bad idea, but I think we it wouldn’t be a bad idea figure out a “threshold of centrality” beyond which crates.io should require 2FA. Something like: if your crate is one of the X% most downloaded of the last 6 months, you need to have 2FA enabled.

insanitybit · 2018-07-13T03:08:53.094Z

withoutboats:

I feel like it kind of seems like I’ve been stonewalling a bit

I’m proposing something fairly significant, I would expect healthy pushback and exploration. Don’t worry about it.

Perhaps I sound too urgent - while I do believe strongly that this is the right path, I am not trying to make it sound as if the sky is falling. But I do want to express that I consider this to be a reasonable approach to a real threat.

withoutboats:

I think login tokens should probably also expire after a certain amount of time.

I actually don’t think login tokens are that scary - at most an attacker can revoke and DOS. Expiration seems reasonable, but unrelated to this threat.

edit: Ah, actually, token generation should certainly be behind a 2FA - forgot about that.

withoutboats:

I think requiring 2FA for all users is a bad idea, but I think we it wouldn’t be a bad idea figure out a “threshold of centrality” beyond which crates.io should require 2FA. Something like: if your crate is one of the X% most downloaded of the last 6 months, you need to have 2FA enabled.

All this means is an attacker would aim below the threshold. Determining that threshold seems complex (differentiating between bors downloads and human seems hard), and I don’t think it’s worthwhile.

Can you explain why you believe that 2FA for all users is bad? I’ve spent some time justifying why I think it is not bad.

uberjay · 2018-07-13T04:58:21.827Z

withoutboats:

I think login tokens should probably also expire after a certain amount of time.

This seems like a pretty good idea. It’s not enough by itself, IMO, but it does throw up an additional roadblock, especially in the case of an abandoned or infrequently updated crate. In particular, this helps mitigate an attack on a maintainer who may not be paying as close attention.

insanitybit:

All this means is an attacker would aim below the threshold. Determining that threshold seems complex (differentiating between bors downloads and human seems hard), and I don’t think it’s worthwhile.

Yeah, explicitly or implicitly revealing ideal crates to target seems pretty undesirable…

Security is often at odds with convenience. Personally, I’m pretty willing to be inconvenienced in exchange for having more assurances of security… so, with that out there:

The amount of software that I (and probably most of us) download and execute sight unseen freaks me out on a regular basis.

With rust’s slant towards a slim std, crates.io is an enormously critical component… I think, in a way that leaves a language like Go less exposed. (ok, perhaps that’s just because of Go’s lack of dependency management forces widespread vendoring. which of course has its own, different security issues. but I digress…)

I think mandatory 2FA, or something like it (or several things like it!) would be wonderful. I think crates.io should be thought of as a community resource that we all, collectively, need to look after – depending on individual people to opt-in and make that security/convenience trade-off, IMO, does us all a disservice. We all make mistakes, and aren’t that great at estimating risk.

On the one hand, we are literally talking about making it harder to publish a crate… …and yet, it sure would be nice to only make it hard for the nefarious actor. So, some other ideas that spring to mind:

Permit other 2FA options: email, sms (probably more trouble than it’s worth).
Publish to staging area, released by email/link challenge.
Publish to staging area, released after some time delay.
Also there’s a link to say “hey wait a minute, I did not publish that crate, lock it down”

Some combination of the above? Something else entirely?

Despite my apparent love for making it more difficult to publish a crate, I think it’s really critical to stay as inclusive as possible. Inadvertently causing groups of people to “not bother” because it’s too annoying, or because they don’t have a smartphone, or for other similar reasons would be pretty sad. (but more importantly, a loss for the rust community!)

dpc · 2018-07-13T06:10:10.783Z

A mandatory 2FA and some additional checks for 2FA-opt-out tokens would be a great improvement. Just make sure the options there are not limiting anyone - not because of inconvenience, but for technical reasons (lack of access to a smartphone, sms infrastructure, etc.).

One thing that I would like to suggest is not focusing too much on the details of the latest NPM accident and thinking more comprehensively: the core problem of NPM is the ease of pulling in code written by thousands of strangers into your projects. It’s a hard problem, but requiring everyone to review every version of every dependency is not going to work, and any more scalable improvements would be great.

Nemo157 · 2018-07-13T06:37:54.456Z

Having opt-out tokens for CI seems to defeat the purpose of 2FA. I use automated publishing for all my crates, I don’t think I even have an API token on my laptop. The only way someone can publish a compromised version of one of my crates is either via acquiring my GitHub login (where I do have 2FA) or acquiring the token from my CI. If I had an opt-out token also stored in CI then that would be acquired at the same time.

One idea I had for automated publish + 2FA is to have an extra intermediate step where crates.io has preliminarily accepted the new version but requires an owner to login and verify it via 2FA before it is publically released. That’s much more work than just having a 2FA gate during the current publish step though.

H2CO3 · 2018-07-13T07:16:08.521Z

kornel:

I’m not sure if it should be on by default for all publishing

If it isn’t on by default, ~~nobody will turn it on by themselves.~~ Yes, that’s a tad hyperbolic. Only those who genuinely care about security in the large and at least know what 2FA is will turn it on. I’d expect that to be a fairly low percentage of the average programmer, unfortunately.

So, IMO it should probably be on/required by default, and there should be a (fairly painful/lengthy) way of opting out if someone decides that they absolutely positively don’t want 2FA for some weird reason.

kornel · 2018-07-13T09:05:22.505Z

That’s why I’m suggesting to make it required for owners of popular/important crates, who are high risk targets.

Mandating 2FA for every situation, even low risk, will make it more painful to get started with crates, and security absolutism may be putting new users off.

kornel · 2018-07-13T09:12:58.057Z

Low friction alternative to 2FA, especially for CI:

Send confirmation email to crate owners. Include a temporary link there that unpublishes the crate.

It’s of course not as robust as 2FA, but still a significant improvement, because email passwords generally are not as easy to steal as the unencrypted credentials file.

This would help detect when an unauthorized publication is made. It can be enabled immediately for all accounts.

It could be combined with welcome email with instructions/best practices for maintaining crates.

A stronger version could be:

Send email with confirmation link. cargo publish only uploads (so CI can do it), but the new version is not visible until the link is clicked.