Re: some feedback about security from the user's point of view
Hi all,
a small disclaimer first, I am not affiliated with debian in any way, I
am, as the original author would have put it a user. I would like to
play devil's advocate in a few of the quite interesting points that Naja
raises:
1) Why is *getting* debian over plain HTTP such a big issue? Assuming
that even you get a tampered .iso, it is trivial to verify that it is
not the genuine one, even in using a "broken" hash algorithm such as
MD5. SSL-enabling all downloads from Debian would have the unfortunate
side effects of increasing the load on the servers, requiring more
budget from the Debian team, as well as meaning losing a few mirrors
around the globe. Personally, I view it as a reasonable risk, provided
that the end user verifies the .iso image before installing.
2) Regarding MD5, while indeed it has been broken, is it not sufficient
for simple checksumming purposes? I have not looked throughly into this
so please feel free to correct me but how practical would have been for
someone to create a meaningful debian .iso AND introduce backdoors to it
AND create a MD5 sum that matches the original one? Are there any
examples of it in the wild? Having said that, I am all for the use of
SHA256 or better in all newer examples/hashes, I cannot stress how
strongly I agree, even for the sake of "modernizing".
3) Regarding policies, I think that unfortunately Debian has a bad
record (cough, cough, openSSL PRNG circa 2008) so what is the current
situation? This is partially mitigated by the work performed by the
security team who kill bugs on a daily basis. Granted, this is a bit
after the fact but bugs get killed. Again, I fully agree with the author
however how such a centralized management "tool" such as policies can be
applied to an all open-source distribution, such as Debian? Does that by
extension means that Debian developers have to proactively seek out
possible security bugs in other's people code?
Having said the above, the question is how could someone help by
donating time/skills to address the points raised by the original poster?
Cheers!
On 01/23/2011 06:35 PM, Naja Melan wrote:
> Hi,
>
> quite some people around me use debian with view of creating secure
> encrypted systems. Consider for example in france boum.org, who have
> published a book about computer security which advises people to use debian.
> Those people turn to me with questions about how safe things are and want
> advice for their practices.
>
> Some weeks ago I decided to have a look at debian and quite soon ran into
> questions and problems considering the security of debian. I would like to
> share some of those questions, remarks in this mail in the hope of
> stimulating a discussion and hopefully a more secure future for all of us as
> quite a few are going to need it and depend on it.
>
> Something that immediately drew my attention was the choice of
> debian.orgnot to have a certified SSL connection. I can see the
> reasons for this, and
> I am also aware of the limits in SSL, but I still want to raise the issue of
> being able to obtain a copy of debian with a higher degree of security than
> plain http. I set of to try to do that and the following describes my
> experiences:
>
> I ended on this page: http://debian.org/distrib/ which is quite short and I
> quite some information on this page http://debian.org/CD/http-ftp/ is also
> important for people using other methods of download like torrents however
> they don't get to see it (e.g. you only need disc 1 to install a standard
> debian system). Information regarding verifying the downloads is completely
> lacking from these pages which occurs to me to be odd. I finally found via
> google that it is in the faq:
> http://debian.org/CD/faq/#verify
>
> The instructions here are quite problematic. First of all, they advise the
> use of md5 which has been broken <http://en.wikipedia.org/wiki/MD5#Security>.
> It occurs to me that changing this documentation to use another hash would
> be trivial. If security advice from debian suggests the use of md5, it also
> makes me wonder where else in the debian operating or package system md5
> still gets used. It doesn't make me feel safe if an operating system does
> not have a policy to replace all occurrences of a certain cryptographic
> function after it has been broken. What is the position of the debian
> development/security team on this?
>
> Next the instructions in the faq suggest that the user can verify the
> correctness of these hashes with the pgp signature. This makes 2 problematic
> assumptions. First it assumes that users are in the web of trust and have a
> means of verifying the debian pgp key. Secondly it assumes that users
> understand the way a web of trust works and also is aware of the limits and
> vulnerabilities of it, as well as understands how to use it correctly.
> Considering that more and more less geeky people start to use linux systems,
> those assumptions exclude a growing group of users which are not directly
> linked to the debian development team in the web of trust, and who often
> don't even have pgp keys, or friends who do to allow them to get access to
> the web of trust. Personally I am not in the web of trust, and I don't think
> I personally know anyone who is.
>
> In conclusion of this, the highest level of security with which I and many
> others can obtain debian *in practice* is plain http. To make matters worse,
> this limitation is not obvious. This entry gives the impression that the
> user verifies something, and only the knowledgeable user will realise that
> they aren't if they cannot verify the pgp key. If it is considered useful to
> rewrite the faq entry on verification of the iso's and no one can be found
> to do it, let me know and I could make a proposition.
>
> Another general problem is that debian.org does not give much information
> about the development team's policies or attitudes vs security. No statement
> is made for example about what efforts are being taken to prevent the
> private pgp key from being compromised. In general, there is a security page
> on the debian.org website which has some very well sounding opening phrases
> but which gives very meager information on how the debian development team
> needs to behave in order to prevent security compromises. Neither does it
> give a list of past problems and the actions taken to prevent them in the
> future. See for example this quote from
> http://lists.debian.org/debian-security/2011/01/msg00002.html where this
> issue has already been discussed before:
>
> HTTPS is going to make it harder for man-in-the-middle shenanigans,
>> but that is only part of the path "from the developer to the user."
>> One also has to consider whether the project's servers have been
>> tampered with - which tends to be the much more common attack (both
>> Debian and RedHat / Fedora have experiences with this).
>>
> If thing like this happen, I like to know that they did and what has been
> done to prevent them in the future. Does debian have a policy requiring an
> official report to be written and published about security incidents?
>
> In conclusion if I as a user have to make some assessment about the security
> level of debian and I have to use the website to do that, debian scores
> quite bad. I personally opted to download and install fedora, because their
> website was much better, used certified https and their security
> instructions made much more sense. Considering that a user has no real way
> of auditing the secureness of an OS development, this "impression" is rather
> important and blatantly outdated, wrong or missing security advice scores
> really bad.
>
> As a final question I wonder if debian has security policies for developers
> and if they are publicly available? If so, could someone point me to them.
> If not, I think that this is really worrying.
>
> greetz
> Naja Melan
>
Reply to: