Bug#722906: New users can't verify downloads correctly

To: Don Armstrong <don@debian.org>
Cc: 722906@bugs.debian.org
Subject: Bug#722906: New users can't verify downloads correctly
From: Eduard - Gabriel Munteanu <edgmnt@gmail.com>
Date: Sat, 14 Sep 2013 21:52:52 +0300
Message-id: <[🔎] 20130914185252.GA2334@home>
Reply-to: Eduard - Gabriel Munteanu <edgmnt@gmail.com>, 722906@bugs.debian.org
In-reply-to: <[🔎] 20130914173655.GU6418@teltox.donarmstrong.com>
References: <[🔎] 20130914121750.GA3211@home> <[🔎] 20130914173655.GU6418@teltox.donarmstrong.com>

[snip]

On Sat, Sep 14, 2013 at 10:36:55AM -0700, Don Armstrong wrote:
> 
>     To ensure that the checksums files themselves are correct, use GnuPG
>     to verify them against the accompanying signature files (e.g.
>     MD5SSUMS.sign). The keys used for these signatures are all in the
>     Debian GPG keyring and the best way to check them is to use that
>     keyring to validate via the web of trust. To make life easier for
>     users, here are the fingerprints for the keys that have been used
>     for releases in recent years (with some UIDs removed for clarity):
> 

Yes, and new users don't have that keyring. They might think verifying
those fingerprints is safe.

> > It would be fair to expect a large proportion of users cannot or will
> > not be able to establish such a web of trust, especially if they're new
> > users.
> 
> Anyone capable of pulling off a MITM attack against an http site will be
> capable of pulling off an attack against an https site too.[1]

What is that claim based on? Breaking SSL/TLS is much more difficult
than MITM-ing a plain http website, unless the signing CA is involved.
And while I agree that MITM attacks don't happen really often for normal
Internet connections, it's quite hazardous to assume http is safe when
using Tor for example.

> Even if the site were to be served via https, which is unlikely, due
> to the fact that www.debian.org is mirrored, you still would have the
> same set of problems, and users who were concerned about the
> authenticity of the pages that they were viewing and the images that
> they were downloading would still have to verify the key IDs via the
> web of trust.

Hm, I didn't know it's mirrored. Perhaps ftp-master should host those?
Regardless, there has to be a website that's under Debian's control.

> 
> 1: Unless you're proposing that people check the authenticity of the SSL
> certificates too against a known set of fingerprints, which brings you
> right back to the same bootstrapping problem.

I'm proposing checking the SSL certs just like any browser checks them:
verifying signatures against a set of trusted CAs.

[snip]

Also can we avoid placing this issue on the "wishlist" severity level? I
don't mean to blow this out of proportion, but we're talking about a
security issue regarding installing new Debian systems, after all.

	Regards,
	Eduard

Reply to:

References:
- Bug#722906: New users can't verify downloads correctly
  - From: Eduard - Gabriel Munteanu <edgmnt@gmail.com>
- Bug#722906: New users can't verify downloads correctly
  - From: Don Armstrong <don@debian.org>

Prev by Date: Processed: Re: Bug#722906: New users can't verify downloads correctly
Next by Date: Gluing Wiki Shell Commands To CLI Interface? Call for Collaborators!
Previous by thread: Bug#722906: New users can't verify downloads correctly
Next by thread: Processed: Re: Bug#722906: New users can't verify downloads correctly
Index(es):
- Date
- Thread