I understand that packages do not need to be served over HTTPS as apt
verifies with PGP keys. However, basho's key is not served over HTTPS,
so there is a higher risk in that step. There could be in theory a man
in the middle attack against the user who downloads the key and swap
basho's key with someone else's key. The attacker can then plant bad
code in the riak package download.
A relatively low risk, sure. Still one that makes me nervous especially
in the current climate.
Cheers,
Shuhao
On 11/15/2013 01:27 PM, Seth Thomas wrote:
Shuhao,
Apt keys and packages typically aren't provided over HTTPS - even by the
distribution itself (see /etc/apt/sources.list). There is no transport
security but the the packages are signed which provides a generally agreed
upon adequate level of security. There is some discussion here[1] that
details why HTTPS doesn't offer much security for this process. As a quick
pass I looked at a dozen other projects that all follow the same pattern
with respect to both keys and packages.
Cheers,
Seth Thomas
[1] http://askubuntu.com/questions/146108/how-to-use-https-with-apt-get
On Wed, Nov 13, 2013 at 4:31 PM, Shuhao Wu <[email protected]> wrote:
Hi,
I just came across the instructions to install Riak again and I think
there's some insecurities with the instructions.
On this page[1], there is a line that suggests we should do this:
curl http://apt.basho.com/gpg/basho.apt.key | sudo apt-key add -
This is not https and should be. Additionally, an https version of
apt.basho.com does not seem to be available.
[1]:
http://docs.basho.com/riak/latest/ops/building/installing/debian-ubuntu/
Cheers,
Shuhao
_______________________________________________
riak-users mailing list
[email protected]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
_______________________________________________
riak-users mailing list
[email protected]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
