-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 03/07/2019 3.11 AM, Sphere wrote:
> I'm not particularly knowledgeable about the verification process
> being done by dnf on the signature of packages so the question
> still lies on me: Is downloading packages from plaintext http
> susceptible to MITM?
> 

Suppose an attacker intercepts a package with a valid signature,
modifies it, then passes it along to you. When you receive it, dnf
(technically gpgv) will not be able to verify the signature (since the
package has been modified), so the package won't be installed. In this
sense, the MITM attempt will fail. Of course, there's no such thing as
perfect security, so an MITM is technically possible if the attacker
were find some way to defeat this system, e.g., obtain a copy of the
signing key or craft malicious input that exploits a vulnerability in
gpgv. (This is why signing keys are closely guarded and gpgv is
intentionally simpler and harder to exploit than gpg.)

> Even if that is not the case, I believe we can't be for sure that
> there's no exploitable vulnerability on dnf involving packages
> poisoned either from the source itself or in transit through
> plaintext http.
> 

Correct. We can never be sure that there isn't some security flaw that
we haven't discovered yet. This is, in fact, a fundamental tenet of
the Qubes philosophy: All software has bugs, and we can't fix them
all. As we speak, bug software is being written around the world. Even
if we tried, we couldn't fix them quickly enough to keep up with the
rate at which they're being produced. Instead, we compartmentalize.
Separate things in their own boxes so that when bugs inevitably bite,
the damage is limited. For the software we can't compartmentalize,
keep it as minimal as possible.

In any case, it would better to have both signed packages _and_
transit via HTTPS. If I had to choose just one, I'd pick signed
packages, since it wouldn't be difficult for an attacker to serve
malicious packages over HTTPS. But, again, both would be better.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl0dlZMACgkQ203TvDlQ
MDA2XhAAkvv5gxEvQa+D1hgN0eyFeptmNV2ze1NkZrd979ZOC2vnTGNKefRyzcQ+
obBwKOUv8w3czdxRlKx1JJ7gthJYyEukWYIv3mxqYG8ZLx8ZMIvQBU4G7445nrtY
S2FaeVrLH6useEUUhpWRQQxWQnLJfuQseEYaS+8i4db9KhslBEcVUlp4BkUVnjcA
oCfSSiSjUX6YUP0wcq44dZKQBlzf1V9QYR+K/y+r0B5qngrFF2QyAsUy5fXNQPvA
NKbq5tKOU2zOHsuNVSCxokHI1uZkS5pU/hdNxEDslSBM3SiL+numYnrREamgdg9q
w0SPCXptJagD/EI3U9jk2CmTYt8kMajiHgDttSqEvG32rp+z1IZwJ0Ku6DTgk7O1
ce3GqD3b1NERjM8VDVdDor0T+4rEnPPfznvEHHcOzdXzS93rU4wxiCjLy4nXK0Ah
FqXHAu64u3Z+CKw05WbprcL3xJ1DVULJtPOnrwiiZ88UV327OFZwRJUSS22DrPsC
kkvHkJ6kUuM9IFNyXLjrWQnTbFCl+KFhGXDWPS3px8dQwK+l/3idQL4gnxAa8Ygy
Dv7ttr9OGqfSLmuZco+nU5KqJ44hgvvpRS/Y/0amumpbsxKJizKn34nLXSQjODc/
CPqDZCQOskKIMaUyD71r81Vj+/iCj21iZLv9Gh4POK0WrHdZXVY=
=fWbd
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/efeda109-da60-cbcf-d2b9-759803ecc2d8%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to