Re: HTTPS needs to be implemented for updating

To: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Cc: debian-security@lists.debian.org
Subject: Re: HTTPS needs to be implemented for updating
From: Joerg Jaspert <joerg@debian.org>
Date: Wed, 21 Dec 2016 09:31:23 +0100
Message-id: <[🔎] 87y3z9bs4k.fsf@delenn.ganneff.de>
Mail-followup-to: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>, debian-security@lists.debian.org
In-reply-to: <[🔎] 1482271674@msgid.manchmal.in-ulm.de> (Christoph Biedl's message of "Tue, 20 Dec 2016 23:10:40 +0100")
References: <[🔎] 70591121.1271659.1482005903177.JavaMail.zimbra@unseen.is> <[🔎] 20161218110340.GA1611@elch.exwg.net> <[🔎] 0f0e3a88-c9fd-50bd-1338-1fbcc5975198@bitjungle.info> <[🔎] CAHzNyaCD5AcxkZkDFcSPfgc8YbM3ZxFDX6iJHku-okbvCHMxUw@mail.gmail.com> <[🔎] 1482271674@msgid.manchmal.in-ulm.de>

On 14527 March 1977, Christoph Biedl wrote:
> Well, this creates trust for the path until (but excluding) that
> particular mirror only. Can I trust the mirror? And even if, there's no
> guarantee the mirror got the data through a trusted path.

And why the heck would you ever trust any mirror? If you have to, you
lost already and do it wrong.

https gains you NOTHING at all. It's perfectly fine to use ANY mirror,
however untrustworthy that one may be. Because their (operators) conduct
does not matter at all. The Debian archive and its tools are setup so
that you do not need to trust them and that you notice if they do want
to f*ck with you.

As long as you
 - verified the cd image you installed from against the checksum file
   provided by the debian cd team, signed by their key,
 - do not disable signature checking in apt,
 - do not add random gpg keys to your trust store,

you are fine.

Now, if you want to manually download a .deb and dpkg -i it - then you
have to manually do the same steps apt & co do: Get the corresponding
packages and (In)Release files, verify its signature validates against
the archive key, then verify the checksum of the Packages and then the
.deb file. If you don't follow this, you lost, but you asked for it.

And before someone comes with hiding information from a sniffer: https
does not help you there, use tor to not have people know which packages
you just downloaded. https does not hide this from a sniffer.

-- 
bye, Joerg

Reply to:

Follow-Ups:
- Re: HTTPS needs to be implemented for updating
  - From: Marc Haber <mh+debian-security@zugschlus.de>

References:
- HTTPS needs to be implemented for updating
  - From: gwmfms06@unseen.is
- Re: HTTPS needs to be implemented for updating
  - From: Christoph Moench-Tegeder <cmt@burggraben.net>
- Re: HTTPS needs to be implemented for updating
  - From: datanoise <datanoise@bitjungle.info>
- Re: HTTPS needs to be implemented for updating
  - From: Casper Thomsen <ct@clearhaus.com>
- Re: HTTPS needs to be implemented for updating
  - From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>

Prev by Date: Re: HTTPS needs to be implemented for updating
Next by Date: Re: HTTPS needs to be implemented for updating
Previous by thread: Re: HTTPS needs to be implemented for updating
Next by thread: Re: HTTPS needs to be implemented for updating
Index(es):
- Date
- Thread