Re: some feedback about security from the user's point of view

To: security@debian.org, debian-security@lists.debian.org
Subject: Re: some feedback about security from the user's point of view
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Sun, 23 Jan 2011 19:32:32 -0500
Message-id: <[🔎] AANLkTik1gHFaN0dAS1Vrp4Gn9LiBQG3jLauaYvAVW0CX@mail.gmail.com>
In-reply-to: <[🔎] 4D3C66A0.80903@gmail.com>
References: <[🔎] AANLkTikQR+o7FSg1ttopNVCsSpfjdPs+S2aYMVAd8GCt@mail.gmail.com> <[🔎] 4D3C66A0.80903@gmail.com>

On Sun, Jan 23, 2011 at 12:34 PM, AK wrote:
> Hi all,
>
> a small disclaimer first, I am not affiliated with debian in any way, I
> am, as the original author would have put it a user. I would like to
> play devil's advocate in a few of the quite interesting points that Naja
> raises:
>
> 1) Why is *getting* debian over plain HTTP such a big issue? Assuming
> that even you get a tampered .iso, it is trivial to verify that it is
> not the genuine one, even in using a "broken" hash algorithm such as
> MD5. SSL-enabling all downloads from Debian would have the unfortunate
> side effects of increasing the load on the servers, requiring more
> budget from the Debian team, as well as meaning losing a few mirrors
> around the globe. Personally, I view it as a reasonable risk, provided
> that the end user verifies the .iso image before installing.

There is no need to worry about additional load on the mirrors since
the only thing that needs to be verifiable are the checksums
themselves, and that could easily be hosted on a centralized https
server separate from the mirror system.

> Having said the above, the question is how could someone help by
> donating time/skills to address the points raised by the original poster?

This is one of the downsides of an all-volunteer organization: someone
actually needs to be interested, self-motivated, and willing to work
on the issue at hand.  However, in this case it will be hard for any
non-DD to effect any change directly.  You will need to work with
appropriate teams.

One thing that could be done is to draft up some better wording for
the faq and media download pages, then work with the www team to get
those changes implemented.

Also, a discussion could be started with SPI to see if they are
willing to purchase a CA cert.  That would at least allow users with
implicit trust in the CA system to get a nice fuzzy feeling when they
see the lock icon when downloading checksums.

Anyway, to sum up, things can certainly be improved; it just requires
someone to step up and work with the affected teams to make the
desired changes.

Best wishes,
Mike

Reply to:

Follow-Ups:
- Re: some feedback about security from the user's point of view
  - From: Robert Tomsick <robert@tomsick.net>
- Re: some feedback about security from the user's point of view
  - From: Raphael Geissert <geissert@debian.org>

References:
- some feedback about security from the user's point of view
  - From: Naja Melan <najamelan@gmail.com>
- Re: some feedback about security from the user's point of view
  - From: AK <platsakos@gmail.com>

Prev by Date: Re: some feedback about security from the user's point of view
Next by Date: Re: some feedback about security from the user's point of view
Previous by thread: Re: some feedback about security from the user's point of view
Next by thread: Re: some feedback about security from the user's point of view
Index(es):
- Date
- Thread