From 1f893e0b7efeb2b3b3fd4d022b85044177b0030b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 31 Jul 2024 23:58:40 +0200 Subject: [PATCH] project/security.md: howe we combat backdoors Closes #499 --- project/security.md | 46 +++++++++++++++++++++++++++++++++++++++++++++ wordlist.txt | 5 ++++- 2 files changed, 50 insertions(+), 1 deletion(-) diff --git a/project/security.md b/project/security.md index 45edc7ef34..d399e2b3f9 100644 --- a/project/security.md +++ b/project/security.md @@ -26,3 +26,49 @@ chart](https://curl.se/docs/vulnerabilities.html) showing how all vulnerabilities affect which curl versions and we have this complete list of all known security problems since the birth of this project. +## Backdoors and supply chain risks + +With libcurl being installed and running in billions of installations all over +the world and in countless different environments, we recognize that it is an +ideal target for someone who wants a backdoor somewhere. + +A new or old maintainer might at any point propose a change that sounds +innocent and well-meaning but has a disguised malicious intent. + +To mitigate such risks, we apply established procedures and techniques: + +- **2FA required**. We require all maintainers with push access to git to have + two-factor authentication enabled, to reduce the risk that attackers can + impersonate them and use their credentials to push source code changes. +- **Reviews**. Every contribution that are proposed for inclusion in the + project is reviewed by a maintainer. It is also automatically checked, + tested and scanned by numerous tools. +- **Readable code**. We believe in readable code that follows our code style. + Easy to read makes it easy to debug. If code is hard to read it should be + improved until it gets easy to read. With easy to read code, smuggling + malicious payloads or hiding nefarious functionality is excruciatingly hard. +- **Tests**. We have a large test suite that is always growing and we do not + accept changes that break existing tests and new functionality need to bring + new tests for the new functionality. We run *several hundred thousands* + tests on each proposed changed to make sure existing functionality remains. + This includes fuzzers, static code analyzers, fault injectors and more. +- **No binary blobs**. All files stored in version control, in the git + repository is readable or is otherwise small and documented. There is no + place anywhere for any hidden encrypted payload. +- **Reproducible builds**. curl releases are shipped as tarballs that are + hosted on the curl website. We provide documentation, docker setups and + setups etc that allows anyone wanting to easily reproduce our release builds + to generate identical images - proving that what we ship is only contents + taken from the git repository plus other correct and properly generated + contents. +- **Signed commits**. Some - not all - of the committers sign commits to help + prove provenance. +- **Signed releases**. Every release, every uploaded tarball, is signed by + Daniel. This helps to prove that the files have not been tampered with since + they were produced. +- **Fix all vulnerabilities quickly**. Whenever we receive a security + vulnerability report, we create and ship a fix in the next pending release. + Sometimes sooner than previously planned. With every fixed security + vulnerability we release a detailed description of the flaw including exact + commit that introduced the problem, recommendations for users and more. + Further, the security advisories get announced to the world. diff --git a/wordlist.txt b/wordlist.txt index 2623350c3b..0975e273f4 100644 --- a/wordlist.txt +++ b/wordlist.txt @@ -23,6 +23,8 @@ autobuild autobuilds Autotools autotools +Backdoor +Backdoors backend backends backoff @@ -169,6 +171,7 @@ FreeBSD Frexx fseek FTPing +fuzzers fwrite gcc gdb @@ -221,6 +224,7 @@ http HTTPAUTH httpget HttpGet +HTTPHEADER HTTPS https Huawei @@ -583,7 +587,6 @@ wolfSSL WS WSS www -HTTPHEADER xdigit Xilinx XYZ