[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: improving downloader packages (was: Re: holes in secure apt)

On Fri, 2014-06-20 at 09:17 +0200, Raphael Hertzog wrote: 
> Why not switch it to something more dynamic ?
Sounds good... 

> Make the package an empty shell with symlinks pointing to
> /var/lib/debian-keyring/, add a cron job that rsyncs the keyring
> to that directory.
I've just thought about that... and my initial thought was... use they
global keyserver network for this.

But my second thought reminded me of what I often brought up here before
and what I've now forgot myself:

If you use the keyserver network, a solution like rsync or anything
similar... then you may easily become vulnerable to blocking/downgrade

- I pull in new keys/signatures either via SKS keyservers, rsync or some
other dynamic method.
- Attacker gives me however an old state of the keys/signatures, where
e.g. a compromised key is not yet revoked, or he simply drops the
revocation signature..
- I won't notice this, any happily verify and packages/etc. since I
think the signature is still valid.

Thus, if any dynamic key retrival would be implemented, the following
would have to be done:
- secured connection to some fully trusted server (i.e. not one that
uses hkps with GANDI certs :P) in order to prevent any blocking attacks.
- some valid from/through information would need to be verified in order
to prevent any downgrade/replay attacks.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: