Bug 11271 - Download GeoIP database via HTTPS
Summary: Download GeoIP database via HTTPS
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: all All
: - Unknown - - Unknown -
Assignee: Matthias Fischer
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-12 16:20 UTC by Timmothy Wilson
Modified: 2017-02-10 12:34 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Timmothy Wilson 2016-12-12 16:20:46 UTC 
The GeoIP database is updated automatically once a month via a cron-job.

However, it is downloaded via a plaintext (HTTP) connection. Since there is no integrity mechanism in place (i.e. SHA2 checksum), an attacker could easily modify information, perhaps in order to avoid getting blocked by the firewall.

MaxMind offers also free HTTPS downloads; geolite.maxmind.com got an "A" from the Qualys SSL Labs Server Test (https://www.ssllabs.com/ssltest/analyze.html?d=geolite.maxmind.com).

In ipfire-2.x/src/scripts/xt_geoip_update, only the following patch need to be applied: 

diff --git a/xt_geoip_update b/xt_geoip_update
index 5e4ffed..e9a95bb 100644
--- a/xt_geoip_update
+++ b/xt_geoip_update
@@ -25,7 +25,7 @@ TMP_FILE=$(mktemp -p $TMP_PATH)
 SCRIPT_PATH=/usr/local/bin
 DEST_PATH=/usr/share/xt_geoip
 
-DL_URL=http://geolite.maxmind.com/download/geoip/database
+DL_URL=https://geolite.maxmind.com/download/geoip/database
 DL_FILE=GeoIPCountryCSV.zip
 
 CSV_FILE=GeoIPCountryWhois.csv

This should be an easy one. :-)

Best regards,
Timmothy Wilson
Comment 2 Matthias Fischer 2017-02-10 12:34:29 UTC 
Fixed in current 'next'.