some feedback about security from the user's point of view
quite some people around me use debian with view of creating secure encrypted systems. Consider for example in france boum.org, who have published a book about computer security which advises people to use debian. Those people turn to me with questions about how safe things are and want advice for their practices.
Some weeks ago I decided to have a look at debian and quite soon ran into questions and problems considering the security of debian. I would like to share some of those questions, remarks in this mail in the hope of stimulating a discussion and hopefully a more secure future for all of us as quite a few are going to need it and depend on it.
Something that immediately drew my attention was the choice of debian.org not to have a certified SSL connection. I can see the reasons for this, and I am also aware of the limits in SSL, but I still want to raise the issue of being able to obtain a copy of debian with a higher degree of security than plain http. I set of to try to do that and the following describes my experiences:
I ended on this page: http://debian.org/distrib/ which is quite short and I quite some information on this page http://debian.org/CD/http-ftp/ is also important for people using other methods of download like torrents however they don't get to see it (e.g. you only need disc 1 to install a standard debian system). Information regarding verifying the downloads is completely lacking from these pages which occurs to me to be odd. I finally found via google that it is in the faq:
The instructions here are quite problematic. First of all, they advise the use of md5 which has been broken. It occurs to me that changing this documentation to use another hash would be trivial. If security advice from debian suggests the use of md5, it also makes me wonder where else in the debian operating or package system md5 still gets used. It doesn't make me feel safe if an operating system does not have a policy to replace all occurrences of a certain cryptographic function after it has been broken. What is the position of the debian development/security team on this?
Next the instructions in the faq suggest that the user can verify the correctness of these hashes with the pgp signature. This makes 2 problematic assumptions. First it assumes that users are in the web of trust and have a means of verifying the debian pgp key. Secondly it assumes that users understand the way a web of trust works and also is aware of the limits and vulnerabilities of it, as well as understands how to use it correctly. Considering that more and more less geeky people start to use linux systems, those assumptions exclude a growing group of users which are not directly linked to the debian development team in the web of trust, and who often don't even have pgp keys, or friends who do to allow them to get access to the web of trust. Personally I am not in the web of trust, and I don't think I personally know anyone who is.
In conclusion of this, the highest level of security with which I and many others can obtain debian in practice is plain http. To make matters worse, this limitation is not obvious. This entry gives the impression that the user verifies something, and only the knowledgeable user will realise that they aren't if they cannot verify the pgp key. If it is considered useful to rewrite the faq entry on verification of the iso's and no one can be found to do it, let me know and I could make a proposition.
Another general problem is that debian.org does not give much information about the development team's policies or attitudes vs security. No statement is made for example about what efforts are being taken to prevent the private pgp key from being compromised. In general, there is a security page on the debian.org website which has some very well sounding opening phrases but which gives very meager information on how the debian development team needs to behave in order to prevent security compromises. Neither does it give a list of past problems and the actions taken to prevent them in the future. See for example this quote from http://lists.debian.org/debian-security/2011/01/msg00002.html where this issue has already been discussed before:
HTTPS is going to make it harder for man-in-the-middle shenanigans,
but that is only part of the path "from the developer to the user."
One also has to consider whether the project's servers have been
tampered with - which tends to be the much more common attack (both
Debian and RedHat / Fedora have experiences with this).
If thing like this happen, I like to know that they did and what has been done to prevent them in the future. Does debian have a policy requiring an official report to be written and published about security incidents?
In conclusion if I as a user have to make some assessment about the security level of debian and I have to use the website to do that, debian scores quite bad. I personally opted to download and install fedora, because their website was much better, used certified https and their security instructions made much more sense. Considering that a user has no real way of auditing the secureness of an OS development, this "impression" is rather important and blatantly outdated, wrong or missing security advice scores really bad.
As a final question I wonder if debian has security policies for developers and if they are publicly available? If so, could someone point me to them. If not, I think that this is really worrying.