https for apt to prevent man in middle transparent proxy mirror attacks?
Paranoia department (sign my key; target on my back):
What if someone had control of a network who was "not a big Debian fan",
or who just wanted to be evil and get trojan horse software onto
people's computers for one reason or another. This person sets up the
routers so that accesses to the official Debian mirrors are
transparently proxied to a mirror they keep, but with certain strategic
programs shadowed by their own version, with special patches applied.
They could, for instance, replace "ssh" with one that kept track of
people's passwords to remote computers, and somehow secretly sent that
information to the evil hacker on occasion, perhaps using some stealth
technique, like hiding it in DNS queries that are also handled by an
inside server. So now Innocent Joe Hacker, the Freshman who gets Debian
Developer status and is logging on to Debian development computers using
ssh and a typed password, is really giving his password away to a person
with considerable knowledge computer "security"... a person who owns
lots of stock in a large software firm that competes with Debian for
"market share".
How hard would it be for a person in control of the source code to
everything on a gateway router and name server to set up such a
man-in-the-middle proxy and implement this evil plan? Is it
conceivable? How long would it take them to get your ssh and gnupg
private keys? Your banking passwords?
Now what if instead of http, we used https for access to the Debian
software archives? As I understand it, https would make this sort of
MIM setup impossible. Is that correct? Are there any experts on this
subject out there who can vouch for that? Can proxied https be
subverted, to where a persons website passwords can be obtained by a
middle man? Can they fake out something like "apt" if it ran over
https, and have it return a special copy of a software package they've
trojan horsed?
I think that Debian should have it's own internal PKI, and server keys
should be signed by it's authority. The Debian system really should be
managed securely enough to be trustable by government and corporate
users. Is there any official process available that such a setup can be
validated by a third party? At the bank, when they empty the teller
machine, they send two people to do it. They call this "double
custody". It's thought that two individuals are less likely to form a
conspiracy to steal deposits than it is that a single individual would
do so. As they say, who will watch the watchers?
Government and corporate users who are somewhat paranoid can set up a
quarantine mirror, mirror only source packages, and set up a build
daemon, right? The software setup for doing that should be packaged and
made turnkey. It seems less likely that the source package will contain
the patch that adds the back door than it does that a binary could be
patched with compromise codes, built, un-patched, then the source
package built.
Perhaps uploading of binary packages should be done away with
altogether, and all packages should be built on known secure servers by
a build daemon? It's easier to verify the source code and patches than
it is to verify a binary, right? Then it comes down to who's in control
of the build servers, the archive network, and networks in between those
hosts.
I'm not going to GNU-pg sign this since we aren't sure if I'm really who
I say I am anyhow... and what I've said is likely valid no matter who I
really am. (Or who I think I am.)
--
Karl Hegbloom <hegbloom@pdx.edu>
Reply to: