On Sat, Jan 26, 2019 at 04:39:45AM -0800, goldsm...@riseup.net wrote: > > Am I right in thinking that the recently discovered apt vulnerability > (DSA 4371-1) in Debian based systems could and should have been > mitigated against many years ago by downloading and activating an apt > package; "apt-transport-https", which forces apt updates via https? The > researcher (Max Justicz) who discovered the vulnerability has stated it > couldn't have been exploited if https had been implemented. > > If "apt-transport-https" is the magic bullet, why in the past hasn't it > been implemented by default? And, why for the future, is it not being > implemented immediately by Qubes, Debian et al? > > During the past decade many people with good foresight had predicted the > apt vulnerabilty and urged administrators to install the > solution;"apt-transport-https". Regrettably, the vocal majority of > so-called experts said that's unnecessary because the packages are > signed. Was that incompetent advice? or was it a coordinated response > from agents of State Actors to hide a deliberate backdoor? I've no idea, > but given Snowdens revelations I would not rule anything out.
No you're not right in thinking this. You seem to have missed the section where Max explicitly say that "a malicious mirror could still exploit a bug like this, even with https." So apt-transport-https is no magic bullet, particularly as a cursory glance suggests that it allows forcing SSL version to SSLv3, which is known to be insecure. Imagine that apt-transport-https *had* been adopted - have you actually looked at the list of vulnerabilities in libcurl, and the various breakages in the TLS CA system? I can imagine some one posting exactly like you: "Was the move to https incompetent advice? or was it a coordinated response from agents of State Actors to hide a deliberate backdoor? I've no idea, but given Snowdens revelations I would not rule anything out." I would rule some things out. And in this case it looks like a simple mistake. And if you read any of the arguments re http/https you'd see that there are reasonable arguments on both sides, and the "so called experts" took reasoned positions. It's always been open to you to install the package and switch to https transport in your Debian templates, of course. And Qubes had already started to use that by default too. Not to downplay the importance of the bug, but let's not lose our heads. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190127013421.7pdxo4adq4tmqefe%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.