Re: HTTPS enabled Debian Security repository
> Henrique de Moraes Holschuh writes:
>> On Fri, 27 Oct 2017, Hans-Christoph Steiner wrote:
>>> This idea that GPG signatures on the index files is enough has been
>>> totally disproven. There was a bug in apt where Debian devices could be
>>> exploited by feeding them crafted InRelease files:
>> This was the *one* bug of this sort in the entire lifetime of apt thus
>> far, AFAIK.
> No, there was also
> which I found. That one was fairly easy to exploit (concatenate
> manipulated Release with wrong "-----BEGIN PGP SIGNATURE" markers and
> correctly signed InRelease; gpg would verify the signature at the end,
> but apt would use the unsigned, manipulated Release from the beginning)
> Similar bugs were present in several other places in Debian's
> infrastructure as well.
> The one from 2016 is harder to exploit: I asked on #-apt back then and
> the sample exploit had a 1/4 success change with a 1.3 GB InRelease file
> on a memory starved i386 system).
That hit rate is enough to build malware around...
>>> If HTTPS was used, that would mean exploiting that would require
>> One of the dozens of zero-days already found in the TLS stack we had to
>> run like crazy to patch ?
> That is still valid of course, though I'm not sure if GnuPG or TLS
> libraries get wider testing...
Don't get me wrong, I agree that HTTPS is very overcomplicated and
terrible in a lot of ways. But the days of plain HTTP/TCP are over.
All connections need to be moving towards encryption. Even with HTTPS'
faults, we are better off using it than plain HTTP.