Re: SSL for debian.org/security?
Djones Boni:
> On 30-10-2013 11:05, Celejar wrote:
>> You're snipping crucial context; my comment above was in response to
>> this:
>>> For apt-get a self-signed certificate could be used which comes together
>>> with Debian. No CA required. This is both simpler and safer.
>> I was pointing out that this comment makes no sense in the context of
>> apt-get. It sounds like you're referring to the website or email system.
> I am talking about updates.
>
> Yes. Apt uses OpenPGP to verify the integrity and authenticity of the
> packages it downloads.
> But how does apt get these packages? Over insecure HTTP.
>
> Hacking DNS or MITM attack can hide updates from you or a country. Then
> you are vulnerable due out-of-date software and you don't even know
> about it.
I think we can refer to the TUF threat model [1] when talking about
attacks against package managers. [1]
You may have a rollback attacks and/or indefinite freeze attacks in
mind. Perhaps others. Tell us.
Debian protects against these to some degree, because it uses the
valid-until [2] field, which is great.
Package lists are valid for two weeks, though. Getting package lists
over SSL and/or Tor hidden services could make this even more secure.
[1] https://www.updateframework.com/projects/project/wiki/Docs/Security
[2]
http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html
Reply to: