[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#722906: New users can't verify downloads correctly


On Sat, Sep 14, 2013 at 10:36:55AM -0700, Don Armstrong wrote:
>     To ensure that the checksums files themselves are correct, use GnuPG
>     to verify them against the accompanying signature files (e.g.
>     MD5SSUMS.sign). The keys used for these signatures are all in the
>     Debian GPG keyring and the best way to check them is to use that
>     keyring to validate via the web of trust. To make life easier for
>     users, here are the fingerprints for the keys that have been used
>     for releases in recent years (with some UIDs removed for clarity):

Yes, and new users don't have that keyring. They might think verifying
those fingerprints is safe.

> > It would be fair to expect a large proportion of users cannot or will
> > not be able to establish such a web of trust, especially if they're new
> > users.
> Anyone capable of pulling off a MITM attack against an http site will be
> capable of pulling off an attack against an https site too.[1]

What is that claim based on? Breaking SSL/TLS is much more difficult
than MITM-ing a plain http website, unless the signing CA is involved.
And while I agree that MITM attacks don't happen really often for normal
Internet connections, it's quite hazardous to assume http is safe when
using Tor for example.

> Even if the site were to be served via https, which is unlikely, due
> to the fact that www.debian.org is mirrored, you still would have the
> same set of problems, and users who were concerned about the
> authenticity of the pages that they were viewing and the images that
> they were downloading would still have to verify the key IDs via the
> web of trust.

Hm, I didn't know it's mirrored. Perhaps ftp-master should host those?
Regardless, there has to be a website that's under Debian's control.

> 1: Unless you're proposing that people check the authenticity of the SSL
> certificates too against a known set of fingerprints, which brings you
> right back to the same bootstrapping problem.

I'm proposing checking the SSL certs just like any browser checks them:
verifying signatures against a set of trusted CAs.


Also can we avoid placing this issue on the "wishlist" severity level? I
don't mean to blow this out of proportion, but we're talking about a
security issue regarding installing new Debian systems, after all.


Reply to: