Re: could we maybe serve checksums TLS on some mirrors? (was Re: concrete steps for improving apt downloading security and privacy)

[Elmar Stellnberger <estellnb@gmail.com>]

Yes, I also think it is a pretty shame that we can not download the sha256/512sums

from a sever secured by https + DNSSEC/DANE. At least the master mirror 

cdimage.debian.org needs to provide a secure connection for downloading 

checksums and the *.jigdo and *.template files. Moreover I would appreciate the 

jigdo program to work with https + evtl. dnssec as well because http is inherently

untrusted and thus insecure. Finally jigdo itself would need to be uploaded to the 

master mirror as we should not execute any program without inspection from a 

source which is not secured (would imply that the source is also trusted).

If we have https + DNSSEC for lists.debian.org and debian.org why not also for

cdimage.debian.org?

Elmar

Am 10.07.2014 um 18:52 schrieb Joel Rees:

When I download a new install image, I pretty much always go to random
mirrors, some largish/mainish and some smalish/obscure and download
the copies of the checksum files. If all the checksum files compare, I
can be pretty confident that one of the following conditions exists:

(1) The image is good if the checksum command reports the correct checksum.

(2) Some attacker has compromised every mirror I have accessed.

(3) Some attacker is doing deep inspections on my traffic and
redirecting traffic every time I go looking for a debian mirror.

I check a minimum of three mirrors, but when I'm feeling especially
paranoid I'll check five or six.

It occurs to me that I might cede some usefulness to having the
checksums (not images) served TLS transport on at least one of the
mirrors, if and only if I remember to set the SSL_CERT_FILE before I
fire up lynx to go get the checksums. It won't help me if my
randomness in choosing the servers isn't good enough in case (2), but
it should help in case (3).