[opam-devel] [ocaml-infra] expiration SSL certificate

Daniel Bünzli daniel.buenzli at erratique.ch
Tue Sep 13 12:42:24 BST 2016


On Tuesday 13 September 2016 at 12:56, David Sheets wrote:
> > "Note that yojson never checks the encoding of strings."
> 
> This refers to the internal string representation.

Please, check your facts.
 
> It's not clear to me why or how this will result in users "being sorry" for using a
> library in order to get a certificate from a (trusted) CA.

Any yojson user might end up being sorry at some point and I have said this for a long time [1]. There are quite a few scenarios where you could be bitten by this behaviour since it invalidates invariants you may think hold about a string that was decoded about a standard compliant JSON parser (like absence of NULL byte in the original string -- note that decoded strings reencoded to UTF-8 may have null bytes because U+0000 is allowed via *escape*). Now store that original string somewhere and think about the fact that most OCaml's system APIs were vulnerable to NULL byte injection until recently (and I'm sure a lot of other C bindings are).

> Telling them is certainly more effective (and socially responsible) than
> spreading FUD on an unrelated mailing list.

I'm not spreading FUD I'm talking about a reality, on mailing list were this project was mentioned to be used. And sorry I don't have time to loose with random people toying in a random, unreleased, github repository.

> I still don't think you've demonstrated insecurity (except perhaps your own).


Security is a mindset. You are showing that you are not having it and I personally feel that neither does an individual that uses insecure libraries to build security infrastructure. Now trust who you want I just happens that I have different expectations about the quality of the code I use.

Best, 

Daniel

[1] http://alan.petitepomme.net/cwn/2012.05.08.html#2


More information about the opam-devel mailing list