[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: When should we https our mirrors?

Greetings list :)

> So, the real question:
> So, when are we going to push this? If not now, what criteria need to be
> met? Why can't we https-ify the default CDN mirror today?
> (Sadly this means my trick to MITM the debian mirrors with my LAN mirror
> breaks, but this strikes me as a feature not a bug)
> Toodles,
>    paultag

I rose the same question recently in private email to Salvatore
Bonaccorso. Here below was that email, to reiterate some key thoughts
also brought up in this thread and others not brought up:

Hello Debian Security Team -- Let me first say that I highly respect
everyone here and I am only reaching out because I have grave concerns
about global security impacting Debian. I am sure everyone here is
much smarter than me, so I am looking for some feedback on this.

There have been numerous prior discussions on the topic of APT + HTTP
security, but I want to lay an issue to rest about this knowing what
we know about nation state surveillance attacking global systems.
Although APT theoretically protects tampering of packages in transit
over HTTP based on the signing key, there are numerous ways to exploit
the plaintext HTTP protocol in transit and the way APT handles some
aspects of validation. But that is not even the main issue. I will
detail the main issue next.

The main issue is that a well positioned attacker, such as the NSA or
Chinese router admins, have the ability to collect and analyze in
real-time what systems have installed what patches installed by
monitoring the historical / real-time patch requests downloaded to
Debian systems. Eg. given a global view of the Internet, the NSA could
craft queries like "Show us all German systems that originate from
network ranges belonging to <insert-any-org-here> that have never
requested a patch for <insert-any-vuln-here>". Even if behind NAT,
internal systems could be specifically analyzed based on client / NAT
fingerprinting. This may not be restricted to external facing systems,
as it is possible that localized patches for something like
Shellshock, HeartBleed, glibc updates, kernel updates, may also be of
interest after they intrude into the internal network. This is really
the key. Using APT with HTTP by default makes the entire Internet much
more vulnerable. With Let's Encrypt offering free TLS certificates, I
find no reason to see why Debian would allow such surveillance above
to continue. These attacks are happening. We know this from numerous
sources. Let's put this issue to rest and move to APT+HTTPS by
default. It does not make spoofing a certificate impossible, but it
makes the attacks harder, more complex, and costly to the NSA. And
with HSTS + HPKP, Debian could also be in a position to prevent most
root CA spoofing attacks as well that might try to still gather system
information as detailed above.

What say you? I humbly request your thoughts.

To which Salvatore replied:

> Thanks for bringing this topic up and sharing your concerns. Don't get
> me wrong, but I think it is better to discuss this in public. In fact
> it pops up from time to time already. Just recently there was a topic
> in similar direction on the debian-devel mailinglist as started here:
> https://lists.debian.org/debian-devel/2016/10/msg00281.html
> Maybe you might cime in there in the discussion with as well your
> arguments.
> Regards,
> Salvatore

I should probably also mention after reading this thread, that for
good measure, adding HTTP/2 could dramatically lower overhead
concerns. Thoughts?


Kristian Erik Hermansen

Reply to: