Debian Bug report logs - #721731
ITP: camo -- SSL image proxy to prevent mixed-content warnings

version graph

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Luke Faraone <lfaraone@debian.org>

Date: Tue, 3 Sep 2013 16:06:02 UTC

Owned by: Luke Faraone <lfaraone@debian.org>

Severity: wishlist

Fixed in version camo/1.3.0+dfsg-1

Done: Luke Faraone <lfaraone@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, luke@faraone.cc, debian-devel@lists.debian.org, tabbott@zulip.com, jesstess@zulip.com, wnpp@debian.org:
Bug#721731; Package wnpp. (Tue, 03 Sep 2013 16:06:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luke Faraone <lfaraone@debian.org>:
New Bug report received and forwarded. Copy sent to luke@faraone.cc, debian-devel@lists.debian.org, tabbott@zulip.com, jesstess@zulip.com, wnpp@debian.org. (Tue, 03 Sep 2013 16:06:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Luke Faraone <lfaraone@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ITP: camo -- SSL image proxy to prevent mixed-content warnings
Date: Tue, 03 Sep 2013 12:02:56 -0400
Package: wnpp
Severity: wishlist
Owner: Luke Faraone <lfaraone@debian.org>

* Package name    : camo
  Version         : 1.1.1
  Upstream Author : Rick Olson and Cory Donohoe
* URL             : https://github.com/atmos/camo
* License         : Expat
  Programming Lang: JavaScript (nodejs)
  Description     : SSL image proxy to prevent mixed-content warnings

Camo is all about making insecure assets look secure. This is an SSL
image proxy to prevent mixed content warnings on secure pages.

Using a shared key, proxy URLs are encrypted with hmac so we can bust
caches/ban/rate limit if needed.

Features include:
* Proxy Google charts
* Proxy images under 5 MB
* Follow redirects to a configurable depth
* Proxy remote images with a content-type of image/*
* Disallows proxying to private IP ranges



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Luke Faraone <lfaraone@debian.org>:
Bug#721731; Package wnpp. (Tue, 03 Sep 2013 16:27:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Luke Faraone <lfaraone@debian.org>. (Tue, 03 Sep 2013 16:27:09 GMT) Full text and rfc822 format available.

Message #10 received at 721731@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: Luke Faraone <lfaraone@debian.org>, 721731@bugs.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Bug#721731: ITP: camo -- SSL image proxy to prevent mixed-content warnings
Date: Tue, 3 Sep 2013 18:25:01 +0200
On Tue, Sep 3, 2013 at 6:02 PM, Luke Faraone wrote:

> Camo is all about making insecure assets look secure. This is an SSL
> image proxy to prevent mixed content warnings on secure pages.

Is distributing software that pretends it is secure a good idea?

-- 
bye,
pabs

http://wiki.debian.org/PaulWise



Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#721731; Package wnpp. (Tue, 03 Sep 2013 17:03:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luke Faraone <lfaraone@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Tue, 03 Sep 2013 17:03:09 GMT) Full text and rfc822 format available.

Message #15 received at 721731@bugs.debian.org (full text, mbox):

From: Luke Faraone <lfaraone@debian.org>
To: Paul Wise <pabs@debian.org>
Cc: 721731@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: Bug#721731: ITP: camo -- SSL image proxy to prevent mixed-content warnings
Date: Tue, 3 Sep 2013 13:02:07 -0400
[Message part 1 (text/plain, inline)]
On Tue, Sep 03, 2013 at 06:25:01PM +0200, Paul Wise wrote:
> On Tue, Sep 3, 2013 at 6:02 PM, Luke Faraone wrote:
> > Camo is all about making insecure assets look secure. This is an SSL
> > image proxy to prevent mixed content warnings on secure pages.
> 
> Is distributing software that pretends it is secure a good idea?

This provides integrity protection and last-mile confidentiality to
images, thus preventing a local network attacker from seeing the images
you request (allowing for possible disclosure of the content you're
viewing) or changing their content (to misinform, confuse, or shock).

It of course does not prevent an attacker from modifying the content or
noticing its access if the attacker is in the path between your
datacentre and the image source.

However, even in this case, it provides some security insofar as it
may prevent the attacker from knowing who is accessing the image.

-- 
Luke Faraone;; Debian & Ubuntu Developer; Sugar Labs, Systems
lfaraone on irc.[freenode,oftc].net -- http://luke.faraone.cc
PGP fprint: 5189 2A7D 16D0 49BB 046B DC77 9732 5DD8 F9FD D506
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Luke Faraone <lfaraone@debian.org>:
Bug#721731; Package wnpp. (Tue, 03 Sep 2013 17:15:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Luke Faraone <lfaraone@debian.org>. (Tue, 03 Sep 2013 17:15:09 GMT) Full text and rfc822 format available.

Message #20 received at 721731@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: Luke Faraone <lfaraone@debian.org>
Cc: 721731@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: Bug#721731: ITP: camo -- SSL image proxy to prevent mixed-content warnings
Date: Tue, 03 Sep 2013 19:12:45 +0200
[Message part 1 (text/plain, inline)]
On Tue, 2013-09-03 at 13:02 -0400, Luke Faraone wrote:

> This provides integrity protection and last-mile confidentiality to
> images, thus preventing a local network attacker from seeing the images
> you request (allowing for possible disclosure of the content you're
> viewing) or changing their content (to misinform, confuse, or shock).
> 
> It of course does not prevent an attacker from modifying the content or
> noticing its access if the attacker is in the path between your
> datacentre and the image source.
> 
> However, even in this case, it provides some security insofar as it
> may prevent the attacker from knowing who is accessing the image.

Ok, that makes sense I guess, I would suggest using that in the package
description rather than what you wrote in the ITP.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Anibal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Wed, 27 Nov 2013 07:06:20 GMT) Full text and rfc822 format available.

Reply sent to Luke Faraone <lfaraone@debian.org>:
You have taken responsibility. (Mon, 02 Dec 2013 16:03:14 GMT) Full text and rfc822 format available.

Notification sent to Luke Faraone <lfaraone@debian.org>:
Bug acknowledged by developer. (Mon, 02 Dec 2013 16:03:14 GMT) Full text and rfc822 format available.

Message #27 received at 721731-close@bugs.debian.org (full text, mbox):

From: Luke Faraone <lfaraone@debian.org>
To: 721731-close@bugs.debian.org
Subject: Bug#721731: fixed in camo 1.3.0+dfsg-1
Date: Mon, 02 Dec 2013 16:00:06 +0000
Source: camo
Source-Version: 1.3.0+dfsg-1

We believe that the bug you reported is fixed in the latest version of
camo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 721731@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luke Faraone <lfaraone@debian.org> (supplier of updated camo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 26 Nov 2013 13:45:34 -0500
Source: camo
Binary: camo
Architecture: source all
Version: 1.3.0+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Zulip Debian Packaging Team <debian@zulip.com>
Changed-By: Luke Faraone <lfaraone@debian.org>
Description: 
 camo       - SSL/TLS image proxy to prevent mixed-content warnings
Closes: 721731
Changes: 
 camo (1.3.0+dfsg-1) unstable; urgency=low
 .
   * Initial release (Closes: #721731)
Checksums-Sha1: 
 85ba3ee33e7ef7ea1f9b22d24044b197540ca0cf 1961 camo_1.3.0+dfsg-1.dsc
 51409cf716389590ec529889354d0f45d0b8e419 7993 camo_1.3.0+dfsg.orig.tar.gz
 10a18dff795689b0a33102ca506f0ff54e95ed8a 5005 camo_1.3.0+dfsg-1.debian.tar.gz
 27e5064c1d2e96f579b9f1afa051f16ddea191ac 9562 camo_1.3.0+dfsg-1_all.deb
Checksums-Sha256: 
 a6bc5afabbcfe0058cc78a5a3d465dce043e9195977c6db000cb00a793a81d61 1961 camo_1.3.0+dfsg-1.dsc
 718b5950e5b3f73b4ece36c026a9757953513f393e36478da605209fa35db597 7993 camo_1.3.0+dfsg.orig.tar.gz
 c0e5f97f056d9bdc2714a25b15cb9d6c5112a360e407b4fb7295a4edd0f8e374 5005 camo_1.3.0+dfsg-1.debian.tar.gz
 34a65842f49f6fa62c86e1c5cab08a28663b68e8a0956e39facf525c2e1487e6 9562 camo_1.3.0+dfsg-1_all.deb
Files: 
 0ab12521ba6a52ca4130afb10b6e6ea0 1961 web extra camo_1.3.0+dfsg-1.dsc
 33bbd4f8bbf93e807cabb368ba997c33 7993 web extra camo_1.3.0+dfsg.orig.tar.gz
 e337cff1788cf8621ffe221254802622 5005 web extra camo_1.3.0+dfsg-1.debian.tar.gz
 5ac0c0d42619c3040f8ab39a415aec65 9562 web extra camo_1.3.0+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCAAGBQJSlPaxAAoJEJcyXdj5/dUGKfwQAJijhiINoVaWH0XTUrSoBrtX
cm7EaMqiPXEXAXNU2IBjkMJQeqAhVSc1Rbpx4BttOhu4yPUKcmXcgsqmoMOHCsXe
NhWlm1MKOnHWvhaoAARBofwnf7qCIdPzordJAoKIDRn+nYCqtyMptz9XQhsiT4Oh
R4MgJEoxq2c4dgA9+K5HRbkijMj0zspfAXb5op7OGWZ2K33Ee8372q/8ZhIGjhOM
at/fvXyT5VTYSJQpapqoZ100zgj18uku3QIhGsAS6VXSLMmTg07reiPDTT6SrQPi
e2GAlttYmCONMAuQQsYDVwi1Kdb8f8yYp6KMnzW9DFfIWpan9pb7hvMDOKaUkUDF
VFPZSv7D+EyVe1pXEFiGwkj6wOoqOXKqyO5cf+ayRcnnESbcDlUxN5q55tU+ORWB
EHjQVhU7PEuXoJyIc0Z0c+crJDUzh+BYs9p7yGTQAfrFhUnt2m0W0sj4ElY0WP/X
AuXZrksxA+dgT7BscwJS868LxuWl6Yi86ARdiP2h54aFcyGt6evW037jFCgPMK+h
bpZrLoPgrfzrpzfE8zruauLPxjzkRpPr/Tx6lk9z9GfoU0o5SqZ8RbEknol6WkX+
u6S/QTxm+8BOQLb+52A+xxjVHR0zcGGmaardNvlIUqirEdfu8L+ovC23SbMZFeK9
Lnxq75+uCkkNPH8+Ijp1
=/2Fl
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 31 Dec 2013 07:34:03 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 16:36:36 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.