Re: SSL for debian.org/security?

To: debian-security@lists.debian.org
Subject: Re: SSL for debian.org/security?
From: Hans-Christoph Steiner <hans@at.or.at>
Date: Mon, 11 Nov 2013 21:02:34 -0500
Message-id: <[🔎] 52818C3A.6050000@at.or.at>
In-reply-to: <[🔎] CAKS89GrBGt0Uyq0bSn6GnO-QQ5xz8f3kVDGGvc8QDUJbWOdvvg@mail.gmail.com>
References: <CAAy1gkeUt_jr0uDt0B=HdnAZnmmHDqygrwgYg4dU7X9zjVUrSA@mail.gmail.com> <526F7FDF.7030601@tightwax.com> <CAM5XQnxCxogD4JMaqyS27zzsorFZ-G8Dsa_71sABGFQHChmrag@mail.gmail.com> <526F855D.1080507@gmail.com> <[🔎] CAF8px56hAkiE8_GiV=jr0AWiNdfhUF-x7-7oeCwe5VGGT1M_cA@mail.gmail.com> <[🔎] CAKS89GrBGt0Uyq0bSn6GnO-QQ5xz8f3kVDGGvc8QDUJbWOdvvg@mail.gmail.com>


On 11/11/2013 07:41 PM, Jérémie Marguerie wrote:
> On Mon, Nov 11, 2013 at 2:48 PM, Mike Mestnik <cheako@mikemestnik.net> wrote:
>> I don't see how this is relevant?  Obviously if hardware is seized then the
>> owners no longer have control.  If you have suggestions as to how to secure
>> hardware that's great, but if you just want to point out that "Nothing can
>> be done."  That's not helpful.
> 
> I think Jacob suggests to get a encryption hardware module that does
> not disclose the key.
> 
> Let's get back to "how can we protect the SSL certificate of the server?"
> To protect against the certificate being stolen with physical access,
> you can encrypt the hard drive (it causes other problems, like how you
> enter the key to decrypt the disk -- you can SSH during the boot to
> provide the decryption key to Luks).
> But it does not protect against freezing the RAM of the server to
> extract the private key.
> 
> But... this has both little chance to occur and little chance of the
> sysadmin/security guys not noticing it (and thus reacting to that
> immediately).
> This is also probably more complicated and dangerous than, say, being
> the US government and request a signed certificate from a US company
> under a sort of FISA warrant (that they cannot disclose) to do "lawful
> interception". But all of this is very theoretical.
> 
> What Jacob suggests is to have a HSM (Hardware Security Module) that
> contains the private certificate and make it impossible (understand:
> very very hard) to extract the key. The black box signs what it gets
> asked without revealing the certificate.
> And then the idea is to do "certificate pinning" in the distribution
> to make sure the SSL certificate hasn't be forged by a trusted third
> party (see the Comodo/Diginotar problem).
> 
> I doubt/really hope that Debian doesn't need that much complicated
> system to securely its package.

The crypto smartcard (aka Hardware Security Module) are some work to setup,
but not really all that much.  And they are easy to use once setup.  And they
provide a huge boost in the security of the certificate.

As for certificate pinning, that is quite easy.  Debian already does it, more
or less, by including the SPI and cacert.org certificates.

.hc

Reply to:

Follow-Ups:
- Re: SSL for debian.org/security?
  - From: "Andreas Kuckartz" <a.kuckartz@ping.de>

References:
- Re: SSL for debian.org/security?
  - From: Mike Mestnik <cheako@mikemestnik.net>
- Re: SSL for debian.org/security?
  - From: Jérémie Marguerie <jeremie@marguerie.org>

Prev by Date: Re: SSL for debian.org/security?
Next by Date: Re: How (un)safe would Debian be when only using the security.debian.org repository?
Previous by thread: Re: SSL for debian.org/security?
Next by thread: Re: SSL for debian.org/security?
Index(es):
- Date
- Thread