Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Christoph Anton Mitterer <firstname.lastname@example.org> writes:
> Anyway this should demonstrate quite practical, how fast attackers are
> these days and that severely reducing the validity times doesn't just
> help against some completely unreal attack vectors.
> Even if the security team is as fast as above, then a victim may be
> compromised by a downgrade attack, thus not even being notified about
> new upgrades.
Packages appearing on mirrors is not how we notify Debian users of
security updates. We do that by issuing a security advisory. Yes, it's
nice to protect against archive downgrade attacks, but validity periods
are not our primary defense against that. Our primary defense is that we
send out a DSA telling people exactly what package versions they need. If
those package versions aren't available, that should raise red flags.
Teams that run Debian servers in production should be checking that all
packages on their hosts are upgraded to the necessary versions.
I've run such production system clusters for many years now, and the
machinery and tools that you need to have in place to ensure that you
actually pushed out the security update to all systems will also trivially
catch downgrade attacks of the type that you're describing.
That's not to say that shorter validities are meaningless. They're
helpful for people whose *only* deployment method and check for security
updates is via some sort of automated apt upgrade process, with no one at
the wheel. Insofar as we can make those people safer without causing more
work for ourselves, we should. But we shouldn't confuse that with the
right way to check for security updates for Debian systems. People who
care about security updates need to be subscribed to
debian-security-announce and reading the DSAs.
> Conceptually, the "trust" lies in the server. Even when the client
> reduces his validity times, than a server could still simply distribute
> old packages, just newly signed.
But the MITM attacker who is launching a downgrade attack can't do this.
It seems to me that if you want to lower the chances of a downgrade attack
for your systems, setting the validity period on your systems is exactly
the tool that you need. There's no need for anything to change on the
server side for you to get that protection.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>