[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sofftware outside Debian (Re: holes in secure apt)

On Tue, 2014-06-17 at 13:39 +0200, Holger Levsen wrote: 
> > Well I guess the reason for flash is rather the license, isn't it?
> no, it's in contrib, because it's a downloader package.
Well sure... but flash itself is not in main for it's license...

> both torbrowser-launcher as well as flashplugin-nonfree use gpg to verify 
> securely what they've downloaded.
> so I guess you will need to pick on other examples ;-) And just file bugs when 
> you find these.

torbrowser-launcher seems to use the keys from the upstream
developers... basically giving them (who are not DDs) the potential
power to install _any_ code in the system of Debian users.
It also doesn't seem to protect against downgrading attacks... (see my
previous post about that).

flashplugin-nonfree seems to use the key of a DD, which is much better,
and I guess Bart Mertens regularly uploads new flash players and signs
them himself... but still I see now protection against downgrading

And attacker could easily MitM a user with an older (but vulnerable
version) which is however correctly signed.
Even if the signatures would expire (and Bart Mertens would resign them
every few days)... you'd still have a rather large attack window.

Not to talk about the practical problem, that users aren't informed any
longer about new version (and security updates).

That's why I wrote in my previous mail, that usually one should depend
on a fixed hash in such downloader packages... doing it with gpg is
securely possible, but much more complicated.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: