[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSL for debian.org/security?

Hans-Christoph Steiner:
> On 10/30/2013 10:49 AM, Norbert Kiszka wrote:
>> Dnia 2013-10-30, śro o godzinie 11:34 -0200, Djones Boni pisze:
>>> On 30-10-2013 11:05, Celejar wrote:
>>>> You're snipping crucial context; my comment above was in response to
>>>> this:
>>>>> For apt-get a self-signed certificate could be used which comes together
>>>>> with Debian. No CA required. This is both simpler and safer.
>>>> I was pointing out that this comment makes no sense in the context of
>>>> apt-get. It sounds like you're referring to the website or email system.
>>> I am talking about updates.
>>> Yes. Apt uses OpenPGP to verify the integrity and authenticity of the
>>> packages it downloads.
>>> But how does apt get these packages? Over insecure HTTP.
>>> Hacking DNS or MITM attack can hide updates from you or a country. Then
>>> you are vulnerable due out-of-date software and you don't even know
>>> about it.
>>> and you don't even know
>>> about it.
>> Thats why I am on the debian-security@lists.debian.org
> A governmental firewall could just as easily block an email as it could
> block/filter information about security updates.  In order to understand why
> tor and TLS would be useful here, it good to break down the various concerns
> (or threats if you prefer):
> 1. package authenticity (provided by the GPG signatures)
> 2. package availability (can currently be manipulated by MITM)
> 3. repo availability (can be blocked by firewalls)
> 4. who's downloading what package (currently visible to anyone who can see the
> network traffic)
> Most people are used to thinking about #1 when thinking about the security of
> Debian repos.  But 2-4 are also import, and currently not well addressed.
> This is where TLS and Tor come in.  Both can help prevent MITM manipulations
> as well as reduce the amount of information that is leaked to the network.
> Tor can also help with #3 since Tor is difficult to block (though China and
> Iran are effectively blocking tor traffic these days).
> I think having official Debian repos available with both TLS and Tor available
> as options is a very good idea.  I'm happy to help where I can, but I'm not on
> the sysadmin team (though I was a sysadmin in a former life).
> Also, there are a number of official mirrors that already support TLS.  I
> haven't looked to see if there are any repos available from a Tor Hidden Service.

Thanks for writing that summary Hans.

This is part of a good defense in depth plan.

It would be nice to have an official Debian.org machine with a key in a
hardware security module. This would allow us to pin against specific
certificates and to avert MITM attacks by failing closed.

All the best,

Reply to: