On Fri, May 7, 2010 at 11:00 AM, Florian Pritz <[email protected]> wrote: > On 06.05.2010 22:48, Denis A. Altoé Falqueto wrote: >> But this doesn't solve the problem of a replay attack (as pointed by >> Dan, some emails above), where an evil mirror admin puts an old >> validly signed repo.db to force some user to download a validly signed >> old package with an known vulnerability. This is tougher to solve. We >> would need some guaranteed way to tell if the downloaded repo.db is >> really the latest..... No ideas for now. > > Add the date when the database was signed (inside of the same signature > of course) and when updating the database (not when installing a > package) let pacman check if this date is at maximum 1 or 2 days old. > This requires low mirror delays though. > > If there are no updates for 2 days some dev would have to resign the > database, but that's quite unlikely and acceptable I think. > Pacman should also check if the new date is more recent than the old one.
I was thinking about something like that, I would choose something like 5 or 7 days. This would give a window of attack of at most 7 days and would give enough time to the mirrors to sync. So, if some package has a known vulnerability, it would be exploitable by replay attack only for the last 7 days. After that, the repo.db would expire and the user would have to download a new one (say, if the mirror is compromised, it would be an indication of that). If the repository activity is really low, it would require a new repo.db being resigned each 5 or 7 days. The only weak point is the source of time to the comparison. Should we force an ntp query? Is it possible to use just a client library to do that or would we need to require a local server? Should we be happy enough with the time on the computer? -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto -------------------------------------------
