Bug#722906: New users can't verify downloads correctly
On Sat, Sep 14, 2013 at 10:36:55AM -0700, Don Armstrong wrote:
> To ensure that the checksums files themselves are correct, use GnuPG
> to verify them against the accompanying signature files (e.g.
> MD5SSUMS.sign). The keys used for these signatures are all in the
> Debian GPG keyring and the best way to check them is to use that
> keyring to validate via the web of trust. To make life easier for
> users, here are the fingerprints for the keys that have been used
> for releases in recent years (with some UIDs removed for clarity):
Yes, and new users don't have that keyring. They might think verifying
those fingerprints is safe.
> > It would be fair to expect a large proportion of users cannot or will
> > not be able to establish such a web of trust, especially if they're new
> > users.
> Anyone capable of pulling off a MITM attack against an http site will be
> capable of pulling off an attack against an https site too.
What is that claim based on? Breaking SSL/TLS is much more difficult
than MITM-ing a plain http website, unless the signing CA is involved.
And while I agree that MITM attacks don't happen really often for normal
Internet connections, it's quite hazardous to assume http is safe when
using Tor for example.
> Even if the site were to be served via https, which is unlikely, due
> to the fact that www.debian.org is mirrored, you still would have the
> same set of problems, and users who were concerned about the
> authenticity of the pages that they were viewing and the images that
> they were downloading would still have to verify the key IDs via the
> web of trust.
Hm, I didn't know it's mirrored. Perhaps ftp-master should host those?
Regardless, there has to be a website that's under Debian's control.
> 1: Unless you're proposing that people check the authenticity of the SSL
> certificates too against a known set of fingerprints, which brings you
> right back to the same bootstrapping problem.
I'm proposing checking the SSL certs just like any browser checks them:
verifying signatures against a set of trusted CAs.
Also can we avoid placing this issue on the "wishlist" severity level? I
don't mean to blow this out of proportion, but we're talking about a
security issue regarding installing new Debian systems, after all.