quicklisp security (or total lack of it)

This page summarizes the projects mentioned and recommended in the original post on /r/lisp

SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • mitm6

    pwning IPv4 via IPv6

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
  • bettercap

    The Swiss Army knife for 802.11, BLE, HID, CAN-bus, IPv4 and IPv6 networks reconnaissance and MITM attacks.

  • quicklisp-client

    Quicklisp client.

    The latest comment I see about this here from Oct. 2022 says they're working on it. There's also comment by the developer in 2016 saying want to improve the security soon, so it doesn't really seem this will actually happen soon. I realise making signature verification work cross platform in pure lisp without external dependencies isn't easy but from latest comment it seems they have that working, in a branch written 4 years ago? The simplest no-code solution is just since quicklisp is published every month or so, on each new update publish a file with sha256 hash of every package contained in quicklisp signed with same developer's pgp key they are already using to sign download of the initial quicklisp.lisp, yes then users if they care about security would have to manually download the file and verify signature every month or so but it's at least some solution that can be done now.

  • ql-https

    HTTPS support for Quicklisp via curl

  • quicklisp-https

    I use this on a system that has curl to safely bootstrap https://github.com/snmsts/quicklisp-https.git which then uses openssl via dexador so that I can drop the curl dependency. A bit of a dance to get everything up and running, but once it is done for a given system you are good to go.

  • BDFProxy

    Patch Binaries via MITM: BackdoorFactory + mitmProxy.

    for same sort of thing but not lisp, see backdoor factory that will backdoor any .exe you download over connection that attacker is MITMing. attacker doesn't need to know what specific library you will download from quicklisp, they write a mitmproxy script like that so for any download from quicklisp.org, it opens the .tar.gz, adds some malicious lisp to it (probably that just executes shell command to download and execute their normal malware, password stealer or whatever as I don't think they going to write full malware in lisp), repack it as .tar.gz you were requesting and serve it to you. It's not the same issue as phishing where they email saying please open and run attachment.exe and you click through all the warnings that you are doing something dangerous and about to run untrusted code. You just use quicklisp as you normally do, if you install any package, when an attacker can MITM your connection they can run code on your computer. Yes that is sometimes also possible with browser exploit but browsers have multiple layers of sandbox and protections against it, and when someone finds a vulnerability that gets through it is treated as a serious vulnerability to fix. some of this thread seems people saying well nothing is perfectly secure a sufficiently pacient, skilled, well-funded attacker can always get through somehow, so it doesn't matter raising the bar off the floor by not using http unverified to download code we run on people's computer

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Malware installed in this bluetooth remote?

    1 project | /r/hacking | 1 Jun 2023
  • bettercap hell

    1 project | /r/netsec | 25 May 2023
  • Bettercap – Swiss Army Knife for 802.11, BLE, IPv4 and IPv6 Networks

    1 project | /r/patient_hackernews | 3 Dec 2022
  • Bettercap – Swiss Army Knife for 802.11, BLE, IPv4 and IPv6 Networks

    1 project | /r/hackernews | 3 Dec 2022
  • Bettercap – Swiss Army Knife for 802.11, BLE, IPv4 and IPv6 Networks

    1 project | /r/hypeurls | 3 Dec 2022