Now; I believe there are several things Debian could do to improve security.
In order to prevent unsuspecting users from downloading a compromised version of Debian I wanna propose the following:
* promote the inclusion of Debian-public-keys in any free live CD sold with magazines and books:
There is no sense in verifying a download with gpg unless you have fetched the public keys from a secure source.
* preinstall the DNSSEC/DANE plugin at least for Firefox by default.
That may even warn the unsuspecting user when downloading an iso from an untrusted source.
Even for an expert user there is no sense in downloading the root DNSKEYs from an untrusted source via the traditional https certificate chain.
* include secure checksums in *every* package header (not just for a majority of packages) for every file in the package
and use sha256/512sums instead of the compromizable md5sums
This could leverage checking your Debian installation by another boot medium later on >> see for (x) at the bottom
with tools like debsums or better debcheckroot (https://www.elstel.org/debcheckroot/)
* https mirrors could in addition provide some additional security including
- more privacy about the selection of packages you have downloaded
- no deliberate delaying of new security updates (+ dnssec of course)
- secure download of individual packages on a non Debian machine for transport to an offline Debian machine
- an additional security mechanism if some private keys should ever be stolen temporarily
!! in order to make this meaningful all these https mirrors would need to offer DNSSEC/DANE in addition because
the current certificate authorization process is heavily compromised !!
That was rather an exception:
This is really causing problems when not using DNSSEC/DANE:
(x) That may be even more important since you can also be compromised later on via the browser and a backdoor kernel system call
which allows the intruder to become root and exchange your key bundle. Moreover even the private keys could be stolen temporarily.
Am 10.07.2014 um 02:29 schrieb Kitty Cat: