Re: HTTPS enabled Debian Security repository
Ansgar Burchardt:
> Henrique de Moraes Holschuh writes:
>> On Fri, 27 Oct 2017, Hans-Christoph Steiner wrote:
>>> This idea that GPG signatures on the index files is enough has been
>>> totally disproven. There was a bug in apt where Debian devices could be
>>> exploited by feeding them crafted InRelease files:
>>>
>>> https://www.debian.org/security/2016/dsa-3733
>>
>> This was the *one* bug of this sort in the entire lifetime of apt thus
>> far, AFAIK.
>
> No, there was also
> https://security-tracker.debian.org/tracker/CVE-2013-1051
> which I found. That one was fairly easy to exploit (concatenate
> manipulated Release with wrong "-----BEGIN PGP SIGNATURE" markers and
> correctly signed InRelease; gpg would verify the signature at the end,
> but apt would use the unsigned, manipulated Release from the beginning)
>
> Similar bugs were present in several other places in Debian's
> infrastructure as well.
>
> The one from 2016 is harder to exploit: I asked on #-apt back then and
> the sample exploit had a 1/4 success change with a 1.3 GB InRelease file
> on a memory starved i386 system).
That hit rate is enough to build malware around...
>>> If HTTPS was used, that would mean exploiting that would require
>>
>> One of the dozens of zero-days already found in the TLS stack we had to
>> run like crazy to patch ?
>
> That is still valid of course, though I'm not sure if GnuPG or TLS
> libraries get wider testing...
>
> Ansgar
>
Don't get me wrong, I agree that HTTPS is very overcomplicated and
terrible in a lot of ways. But the days of plain HTTP/TCP are over.
All connections need to be moving towards encryption. Even with HTTPS'
faults, we are better off using it than plain HTTP.
.hc
Reply to: