[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: concrete steps for improving apt downloading security and privacy

I agree that .deb packages should be individually signed, but I don't think
that the current apt system is vulnerable to package corruption.
 Having a signature in the .deb. would make things a lot more flexible in
terms of distribution because a .deb could be verified no matter how it ends
up on your system.  That lets people experiment and create their own
distribution systems, or use the tools that they already know when apt does
not work for them (internet outages, blocks, etc).

Having individually signed .deb packages would not change the existing
workflow since uploaders already have to sign packages before uploading them
to Debian.  This has been discussed in the past.  I really think it is just a
matter of someone doing the work.

.hc

On 07/09/2014 08:29 PM, Kitty Cat wrote:
> For years I have been concerned with MITM attacks on Debian mirrors.
> 
> I think the only valid solution would be to individually sign EACH package
> with a valid GPG
> signature from a trusted source.
> 
> I think EACH official package from Debian should be GPG signed by both
> package maintainers and
> also signed by official Debian release people.
> 
> For example... What is secure about this download link?
> 
> http://cdimage.debian.org/debian-cd/7.5.0/i386/iso-cd/debian-7.5.0-i386-netinst.iso
> 
> Sure I can also download and check the signatures from here:
> 
> http://cdimage.debian.org/debian-cd/7.5.0/i386/iso-cd/
> 
> However, what if http://cdimage.debian.org/ is actually an NSA mirror site
> and not the real one?
> 
> Lets say that I want download anything from http://cdimage.debian.org/
> <http://cdimage.debian.org/debian-cd/7.5.0/amd64/iso-cd/>
> 
> My downloader resolves http://cdimage.debian.org/
> <http://cdimage.debian.org/debian-cd/7.5.0/amd64/iso-cd/> to NSA mirror
> site through DNS cache poisoning
> or some other means. So, whatever I am downloading is already compromised.
> All signatures are valid
> but are from the NSA.
> 
> So there is no way for me to actually check that I have downloaded valid
> files if everything that I see is
> actually faked!
> 
> If I go edit apt sources list and manage to get an actual real Debian
> server update, then apt tells me that
> all packages available to download are security compromised.
> 
> Or lets say that I get a real install ISO disc and then later on my apt
> mirror site is redirected to NSA mirror.
> Apt will tell me that all packages available to download are security
> compromised.
> 
> One of the two scenarios above has actually happened to me!!! I don't know
> if it is actually the NSA but it
> DID happen to me. Aptitude was telling me that every single package
> available for download was compromised!
> 
> Think about this for a minute. If my ISP or upstream provider is secretly
> cooperating with the NSA and the
> NSA wants to compromise my machine, they can make it so that everything
> that I download is through an
> NSA source!
> 
> *Remember, the NSA can create VALID SSL certificates for any website on the
> fly.*
> 
> Your web browser trusts many certificate authorities and which ones are
> cooperating with the NSA?
> 
> So how can we really be sure that our Debian install has not been
> compromised from the beginning?
> 
> 
> 
> 
> 
> 
> 
> On Thu, Jul 3, 2014 at 8:44 PM, Hans-Christoph Steiner <hans@at.or.at>
> wrote:
> 
>>
>> After the latest revelation about NSA tracking all Tor downloads[1] (with
>> source code!) and the whole "Debian mirrors and MITM" redux, I think we
>> should
>> start talking about concrete steps that we can take to improve the
>> situation.
>>
>> The first things that came to mind would be quite easy to do:
>>
>> * include apt-transport-https by default in Debian
>> * include existing HTTPS mirrors wherever Debian mirrors are listed
>>   * https://www.debian.org/mirror/list
>>   * netselect-apt
>>   * http://http.debian.net/
>>   * apt-get's mirror://
>> * make http://cdn.debian.net/ have an only-HTTPS version
>> * encourage mirror operators to set up a Tor Hidden Service
>>
>> There is already a good collection of HTTPS mirrors to choose from
>> (not-counting all the ones that have HTTPS enabled without a proper
>> certificate).
>>
>> https://mirror.i3d.net/pub/debian/
>> https://mirror.cpsc.ucalgary.ca/mirror/debian.org/debian/
>> https://mirror.cse.unsw.edu.au/debian/
>> https://mirrors.kernel.org/debian/
>> https://the.earth.li/debian/
>> https://mirror.vorboss.net/debian/
>> https://ftp.arnes.si/pub/packages/debian/
>> https://ftp.iitm.ac.in/debian/
>> https://ftp.uni-erlangen.de/debian/
>> https://ftp-stud.hs-esslingen.de/debian/
>> https://mirrors.ustc.edu.cn/debian/
>> https://mirror.cpsc.ucalgary.ca/mirror/debian.org/debian/
>> https://dennou-q.gfd-dennou.org/debian/
>> https://dennou-k.gfd-dennou.org/debian/
>> https://dennou-h.gfd-dennou.org/debian/
>>
>>
>> .hc
>>
>> [1] http://daserste.ndr.de/panorama/aktuell/nsa230_page-1.html
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
>> listmaster@lists.debian.org
>> Archive: [🔎] 53B6150A.3000602@at.or.at">https://lists.debian.org/[🔎] 53B6150A.3000602@at.or.at
>>
>>
>
Reply to: