Re: DOH (was: geolocation services disabled and Gnome maps)
On Wed, 15 Apr 2020 07:49:28 -0400
Greg Wooledge <wooledg@eeg.ccf.org> wrote:
> On Tue, Apr 14, 2020 at 07:12:47PM -0400, Lee wrote:
> > On 4/14/20, Greg Wooledge <wooledg@eeg.ccf.org> wrote:
> > > Accessing the mirrors via https makes the packages un-cacheable, which
> > > makes the traffic volume significantly greater -- and the package lists
> > > are already signed, so there's no gain in trustworthiness of the packages.
> > >
> > > Some people may cite "privacy", as in "I don't want them to know which
> > > window manager I use", or something... I do not understand this
> > > argument, frankly. It sounds paranoid to me.
> >
> > How about people that cite "security"? And yes, I take the simplistic
> > approach that encrypted=good and clear-text=bad but clear-text allows
> > things like
> > https://www.guardicore.com/2019/01/a-vulnerability-in-debians-apt-allows-for-easy-lateral-movement-in-data-centers
> >
> > my understanding is that vuln wouldn't have existed if https had been used.
>
> That was a one-time bug, and was fixed quickly. People have blown it
> way out of proportion.
>
> The general answer for people who think "it's not https so it's not secure"
> is already given at <https://whydoesaptnotusehttps.com/>.
As that site notes:
> However there may be other security benefits to using HTTPS for apt
> updates, in that it should greatly increase the difficulty for a
> man-in-the-middle attacker to exploit future bugs in APT, or to
IIUC, this is pretty much what happened to OpenWRT recently:
https://arstechnica.com/information-technology/2020/03/openwrt-is-vulnerable-to-attacks-that-execute-malicious-code/
They were using SHA2565 checksums to verify packages, not GPG signing,
but the vulnerability was caused by buggy code that allowed the hash
check to be bypassed, which I suppose could hit a GPG based system
as well ...
Celejar
Reply to: