-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/07/2019 3.11 AM, Sphere wrote: > I'm not particularly knowledgeable about the verification process > being done by dnf on the signature of packages so the question > still lies on me: Is downloading packages from plaintext http > susceptible to MITM? >
Suppose an attacker intercepts a package with a valid signature, modifies it, then passes it along to you. When you receive it, dnf (technically gpgv) will not be able to verify the signature (since the package has been modified), so the package won't be installed. In this sense, the MITM attempt will fail. Of course, there's no such thing as perfect security, so an MITM is technically possible if the attacker were find some way to defeat this system, e.g., obtain a copy of the signing key or craft malicious input that exploits a vulnerability in gpgv. (This is why signing keys are closely guarded and gpgv is intentionally simpler and harder to exploit than gpg.) > Even if that is not the case, I believe we can't be for sure that > there's no exploitable vulnerability on dnf involving packages > poisoned either from the source itself or in transit through > plaintext http. > Correct. We can never be sure that there isn't some security flaw that we haven't discovered yet. This is, in fact, a fundamental tenet of the Qubes philosophy: All software has bugs, and we can't fix them all. As we speak, bug software is being written around the world. Even if we tried, we couldn't fix them quickly enough to keep up with the rate at which they're being produced. Instead, we compartmentalize. Separate things in their own boxes so that when bugs inevitably bite, the damage is limited. For the software we can't compartmentalize, keep it as minimal as possible. In any case, it would better to have both signed packages _and_ transit via HTTPS. If I had to choose just one, I'd pick signed packages, since it wouldn't be difficult for an attacker to serve malicious packages over HTTPS. But, again, both would be better. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl0dlZMACgkQ203TvDlQ MDA2XhAAkvv5gxEvQa+D1hgN0eyFeptmNV2ze1NkZrd979ZOC2vnTGNKefRyzcQ+ obBwKOUv8w3czdxRlKx1JJ7gthJYyEukWYIv3mxqYG8ZLx8ZMIvQBU4G7445nrtY S2FaeVrLH6useEUUhpWRQQxWQnLJfuQseEYaS+8i4db9KhslBEcVUlp4BkUVnjcA oCfSSiSjUX6YUP0wcq44dZKQBlzf1V9QYR+K/y+r0B5qngrFF2QyAsUy5fXNQPvA NKbq5tKOU2zOHsuNVSCxokHI1uZkS5pU/hdNxEDslSBM3SiL+numYnrREamgdg9q w0SPCXptJagD/EI3U9jk2CmTYt8kMajiHgDttSqEvG32rp+z1IZwJ0Ku6DTgk7O1 ce3GqD3b1NERjM8VDVdDor0T+4rEnPPfznvEHHcOzdXzS93rU4wxiCjLy4nXK0Ah FqXHAu64u3Z+CKw05WbprcL3xJ1DVULJtPOnrwiiZ88UV327OFZwRJUSS22DrPsC kkvHkJ6kUuM9IFNyXLjrWQnTbFCl+KFhGXDWPS3px8dQwK+l/3idQL4gnxAa8Ygy Dv7ttr9OGqfSLmuZco+nU5KqJ44hgvvpRS/Y/0amumpbsxKJizKn34nLXSQjODc/ CPqDZCQOskKIMaUyD71r81Vj+/iCj21iZLv9Gh4POK0WrHdZXVY= =fWbd -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/efeda109-da60-cbcf-d2b9-759803ecc2d8%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.