Passenger security update check

The Passenger security update check provides a way to warn the user about the availability of important security-related updates for Passenger. This allows the user to take timely action and upgrade Passenger to remain secure (the checker does not do any automatic upgrading). The check was introduced in Passenger version 5.1.0.

Check mechanism

The update check works as follows:

  1. When running, Passenger sends a request via HTTPS to a Phusion server at securitycheck.phusionpassenger.com
  2. The request contains: - Version number (Passenger) - Integration mode (Standalone, Nginx, Apache) - Integrated web server version number, if applicable (Nginx, Apache) - Whether PassengerAgent is statically linked against curl - Nonce (for security against replay attacks)
  3. The server replies with a signed response containing the nonce and, if applicable, information about important security updates (what issue was discovered, what is the impact, what version contains the fix)
  4. Passenger verifies both the signature as well as the nonce in the server response, and logs the response (level 1 / error if there is an update or a failure)
  5. The check is repeated on a daily basis

Security considerations

The security update check does not require direct external access, it can also be configured to use a web proxy.

The check only sends a minimal set of data, which is similar to what is also publicly available by default through the Server HTTP response header.

The check is built with state of the art security measures to ensure trust and confidentiality:

  • a secure connection (HTTPS) between Passenger and the Phusion security check server, against eavesdropping
  • Passenger checks the HTTPS server certificate (trust store, host name), before trusting the server enough to send it anything
  • Passenger generates a nonce (a combination of time and random values) that the server must sign to further prove its trustworthiness

These measures ensure that even if an attacker manages to hack a Certificate Authority and impersonate the Phusion HTTPS certificate, as well as intercept the network traffic between Passenger and the Phusion server, Passenger will still reject the response as long as the attacker doesn't have Phusion's private signing key.

The source code related to the security update check, including encryption sequences, is open for inspection on GitHub. You can also run Passenger with its log level set to 7 in order to see exactly which fields are exchanged with the server.

Options

The security update check can be configured to use a web proxy.

The check is on by default, but can also be turned off.

Advanced alerting (Passenger Enterprise)

For users of Passenger Enterprise (version 5.1.0 or higher), it is also possible to receive alerts via email or phone instead of just via the log file. Passenger Enterprise sends encrypted license information to the update check server in addition to the version and integration information so that Phusion can ensure the user is alerted.

The license information is first encrypted with a one-time (randomly generated) symmetric key, which is itself encrypted using a Phusion public key such that only Phusion can decrypt the information.