Re: SSL for debian.org/security?
- To: debian-security@lists.debian.org
- Subject: Re: SSL for debian.org/security?
- From: Jacob Appelbaum <jacob@appelbaum.net>
- Date: Thu, 07 Nov 2013 09:45:26 +0000
- Message-id: <[🔎] 527B6136.30902@appelbaum.net>
- In-reply-to: <527298C4.30707@at.or.at>
- References: <CAAy1gkeUt_jr0uDt0B=HdnAZnmmHDqygrwgYg4dU7X9zjVUrSA@mail.gmail.com> <20131029041017.GA497@dingens.org> <CADK2VQyDDT4yKFwROAGc15m=6guL-bnOKBOMEk9NSiWWAAaHig@mail.gmail.com> <5270D88B.5010208@riseup.net> <20131030075125.022d6d356fe495d58b1c0187@gmail.com> <5270FCC7.2030201@gmail.com> <20131030090519.edbed5df4568ec3e6f213a3d@gmail.com> <52710AD3.1000806@gmail.com> <1383144555.23607.4.camel@rp1.business> <527298C4.30707@at.or.at>
Hans-Christoph Steiner:
> On 10/30/2013 10:49 AM, Norbert Kiszka wrote:
>> Dnia 2013-10-30, śro o godzinie 11:34 -0200, Djones Boni pisze:
>>> On 30-10-2013 11:05, Celejar wrote:
>>>> You're snipping crucial context; my comment above was in response to
>>>> this:
>>>>> For apt-get a self-signed certificate could be used which comes together
>>>>> with Debian. No CA required. This is both simpler and safer.
>>>> I was pointing out that this comment makes no sense in the context of
>>>> apt-get. It sounds like you're referring to the website or email system.
>>> I am talking about updates.
>>>
>>> Yes. Apt uses OpenPGP to verify the integrity and authenticity of the
>>> packages it downloads.
>>> But how does apt get these packages? Over insecure HTTP.
>>>
>>> Hacking DNS or MITM attack can hide updates from you or a country. Then
>>> you are vulnerable due out-of-date software and you don't even know
>>> about it.
>>>
>>>
>>
>>
>>> and you don't even know
>>> about it.
>>
>> Thats why I am on the debian-security@lists.debian.org
>
> A governmental firewall could just as easily block an email as it could
> block/filter information about security updates. In order to understand why
> tor and TLS would be useful here, it good to break down the various concerns
> (or threats if you prefer):
>
> 1. package authenticity (provided by the GPG signatures)
> 2. package availability (can currently be manipulated by MITM)
> 3. repo availability (can be blocked by firewalls)
> 4. who's downloading what package (currently visible to anyone who can see the
> network traffic)
>
> Most people are used to thinking about #1 when thinking about the security of
> Debian repos. But 2-4 are also import, and currently not well addressed.
> This is where TLS and Tor come in. Both can help prevent MITM manipulations
> as well as reduce the amount of information that is leaked to the network.
> Tor can also help with #3 since Tor is difficult to block (though China and
> Iran are effectively blocking tor traffic these days).
>
> I think having official Debian repos available with both TLS and Tor available
> as options is a very good idea. I'm happy to help where I can, but I'm not on
> the sysadmin team (though I was a sysadmin in a former life).
>
> Also, there are a number of official mirrors that already support TLS. I
> haven't looked to see if there are any repos available from a Tor Hidden Service.
>
Thanks for writing that summary Hans.
This is part of a good defense in depth plan.
It would be nice to have an official Debian.org machine with a key in a
hardware security module. This would allow us to pin against specific
certificates and to avert MITM attacks by failing closed.
All the best,
Jacob
Reply to: