Re: concrete steps for improving apt downloading security and privacy

[Elmar Stellnberger <estellnb@gmail.com>]

Now; I believe there are several things Debian could do to improve security.

In order to prevent unsuspecting users from downloading a compromised version of Debian I wanna propose the following:

* promote the inclusion of Debian-public-keys in any free live CD sold with magazines and books:

   http://www.sysresccd.org/forums/viewtopic.php?f=6&t=5208

   There is no sense in verifying a download with gpg unless you have fetched the public keys from a secure source.

* preinstall the DNSSEC/DANE plugin at least for Firefox by default.

  That may even warn the unsuspecting user when downloading an iso from an untrusted source.

  Even for an expert user there is no sense in downloading the root DNSKEYs from an untrusted source via the traditional https certificate chain.

* include secure checksums in *every* package header (not just for a majority of packages) for every file in the package

  and use sha256/512sums instead of the compromizable md5sums

  This could leverage checking your Debian installation by another boot medium later on >> see for (x) at the bottom

  with tools like debsums or better debcheckroot (https://www.elstel.org/debcheckroot/)

* https mirrors could in addition provide some additional security including

   - more privacy about the selection of packages you have downloaded

   - no deliberate delaying of new security updates (+ dnssec of course)

   - secure download of individual packages on a non Debian machine for transport to an offline Debian machine

   - an additional security mechanism if some private keys should ever be stolen temporarily

   !! in order to make this meaningful all these https mirrors would need to offer DNSSEC/DANE in addition because

      the current certificate authorization process is heavily compromised !!

That was rather an exception:

http://googleonlinesecurity.blogspot.co.nz/2014/07/maintaining-digital-certificate-security.html

This is really causing problems when not using DNSSEC/DANE:

http://webmasters.stackexchange.com/questions/35597/how-to-find-domain-registrar-and-dns-hosting-with-good-dnssec-support

(x) That may be even more important since you can also be compromised later on via the browser and a backdoor kernel system call

which allows the intruder to become root and exchange your key bundle. Moreover even the private keys could be stolen temporarily.

Am 10.07.2014 um 02:29 schrieb Kitty Cat:

For years I have been concerned with MITM attacks on Debian mirrors.

I think the only valid solution would be to individually sign EACH package with a valid GPG

signature from a trusted source.

I think EACH official package from Debian should be GPG signed by both package maintainers and
also signed by official Debian release people.

For example... What is secure about this download link?

http://cdimage.debian.org/debian-cd/7.5.0/i386/iso-cd/debian-7.5.0-i386-netinst.iso

Sure I can also download and check the signatures from here:

http://cdimage.debian.org/debian-cd/7.5.0/i386/iso-cd/

However, what if http://cdimage.debian.org/ is actually an NSA mirror site and not the real one?

Lets say that I want download anything from http://cdimage.debian.org/

My downloader resolves http://cdimage.debian.org/ to NSA mirror site through DNS cache poisoning
or some other means. So, whatever I am downloading is already compromised. All signatures are valid

but are from the NSA.

So there is no way for me to actually check that I have downloaded valid files if everything that I see is

actually faked!

If I go edit apt sources list and manage to get an actual real Debian server update, then apt tells me that

all packages available to download are security compromised.

Or lets say that I get a real install ISO disc and then later on my apt mirror site is redirected to NSA mirror.

Apt will tell me that all packages available to download are security compromised.

One of the two scenarios above has actually happened to me!!! I don't know if it is actually the NSA but it

DID happen to me. Aptitude was telling me that every single package available for download was compromised!

Think about this for a minute. If my ISP or upstream provider is secretly cooperating with the NSA and the
NSA wants to compromise my machine, they can make it so that everything that I download is through an
NSA source!

Remember, the NSA can create VALID SSL certificates for any website on the fly.

Your web browser trusts many certificate authorities and which ones are cooperating with the NSA?

So how can we really be sure that our Debian install has not been compromised from the beginning?

 

On Thu, Jul 3, 2014 at 8:44 PM, Hans-Christoph Steiner <hans@at.or.at> wrote:

After the latest revelation about NSA tracking all Tor downloads[1] (with
source code!) and the whole "Debian mirrors and MITM" redux, I think we should
start talking about concrete steps that we can take to improve the situation.

The first things that came to mind would be quite easy to do:

* include apt-transport-https by default in Debian
* include existing HTTPS mirrors wherever Debian mirrors are listed
  * https://www.debian.org/mirror/list
  * netselect-apt
  * http://http.debian.net/
  * apt-get's mirror://
* make http://cdn.debian.net/ have an only-HTTPS version
* encourage mirror operators to set up a Tor Hidden Service

There is already a good collection of HTTPS mirrors to choose from
(not-counting all the ones that have HTTPS enabled without a proper certificate).

https://mirror.i3d.net/pub/debian/
https://mirror.cpsc.ucalgary.ca/mirror/debian.org/debian/
https://mirror.cse.unsw.edu.au/debian/
https://mirrors.kernel.org/debian/
https://the.earth.li/debian/
https://mirror.vorboss.net/debian/
https://ftp.arnes.si/pub/packages/debian/
https://ftp.iitm.ac.in/debian/
https://ftp.uni-erlangen.de/debian/
https://ftp-stud.hs-esslingen.de/debian/
https://mirrors.ustc.edu.cn/debian/
https://mirror.cpsc.ucalgary.ca/mirror/debian.org/debian/
https://dennou-q.gfd-dennou.org/debian/
https://dennou-k.gfd-dennou.org/debian/
https://dennou-h.gfd-dennou.org/debian/


.hc

[1] http://daserste.ndr.de/panorama/aktuell/nsa230_page-1.html


--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 53B6150A.3000602@at.or.at" target="_blank">https://lists.debian.org/[🔎] 53B6150A.3000602@at.or.at