Re: how can I contribute to debian-security?
Hi, On Tue, Apr 28, 2015, at 03:39 PM, mudongliang wrote: I am a student learning about software security! My lab computer is using Debian Jessie ! I want to apply my learning to the Debian! I want to do my contribution to Debian Security! What should I know,including technique and knowledge? And what should I notice ? Here's a couple of links to get you up to speed: - https://www.debian.org/security/ - https://wiki.debian.org/Teams/Security - https://www.debian.org/doc/manuals/securing-debian-howto/ - https://wiki.debian.org/SecurityChecklist - https://wiki.debian.org/Hardening Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1430200365.1207280.259483029.55121...@webmail.messagingengine.com
Debian mirrors and MITM
Hi guys, Taking a look at the Debian mirror list, I see none serving over HTTPS: https://www.debian.org/mirror/list The public Debian mirrors seem like an obvious target for governments to MITM. I know that the MD5s are also published, but unless you're verifying them with third parties, what's stopping the MD5s being compromised too? Is there any compelling reason why the public Debian mirrors aren't served over HTTPS? If there isn't any, then further to this, is there any reason why not to mandate all public Debian mirrors HTTPS-only? Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401452101.25524.123263721.146f1...@webmail.messagingengine.com
Re: Debian mirrors and MITM
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote: On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote: The public Debian mirrors seem like an obvious target for governments to MITM. I know that the MD5s are also published, but unless you're verifying them with third parties, what's stopping the MD5s being compromised too? The cryptographic signatures that are validated automatically by apt. What's stopping the attacker from serving a compromised apt? Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401453836.31698.123277245.0bfa1...@webmail.messagingengine.com
Re: Debian mirrors and MITM
On Fri, May 30, 2014, at 10:43 PM, Alfie John wrote: The cryptographic signatures that are validated automatically by apt. What's stopping the attacker from serving a compromised apt? Thinking about this more, If I wanted to target a Debian system via MITM, serving a compromised APT would be all I needed. In the future, a modified package could be served and it wouldn't matter what the signatures were seeing is I could have control of APT. Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401454416.2074.123278697.7b672...@webmail.messagingengine.com
Re: Debian mirrors and MITM
On Fri, May 30, 2014, at 10:49 PM, Chris Boot wrote: The cryptographic signatures that are validated automatically by apt. What's stopping the attacker from serving a compromised apt? Oh god not this again. How exactly does using HTTPS solve this particular problem, anyway? If we assume a compromised APT then surely it can pass invalid SSL certificates as perfectly valid, too. It's not like sponsored attackers don't have access to all the SSL certificates they might ever want anyway. By mandating HTTPS, it would prevent QuantumInsert and FoxAcid being implemented during Debain installs and later package installs/updates. If you're worried about SSL certificates being compromised, going down the path of Debian self-signing its own certificate and distributed it via SneakerNet would be a way to prevent it. Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401454841.3847.123280441.07217...@webmail.messagingengine.com
Re: Debian mirrors and MITM
On Fri, May 30, 2014, at 11:08 PM, Adam D. Barratt wrote: The cryptographic signatures that are validated automatically by apt. What's stopping the attacker from serving a compromised apt? How would you get the client's system to install it in the first place? (More specifically, how would you get the cryptographic signature to match your package, given a lack of access to any of the keys trusted by the client's system?) As what I posted earlier, all you would need to do is to MITM the install of APT during an install. Who cares what the signatures look like since you've NOPed the checksumming code! Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401455611.6597.123286253.5d5a4...@webmail.messagingengine.com
Re: Debian mirrors and MITM
On Fri, May 30, 2014, at 11:03 PM, Estelmann, Christian wrote: In Oct 2013 a similar discussion startet https://lists.debian.org/debian-security/2013/10/msg00027.html Thanks for the link, but that discussion went nowhere pretty fast. Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401455789.7468.123287497.4aee6...@webmail.messagingengine.com
Re: Debian mirrors and MITM
On Fri, May 30, 2014, at 11:17 PM, Reid Sutherland wrote: As what I posted earlier, all you would need to do is to MITM the install of APT during an install. Who cares what the signatures look like since you've NOPed the checksumming code! So OpenSSL can be flawed and nobody bats an eye, APT uses GnuPG and everyone (this guy) loses their mind? Strawman much? What does bring up OpenSSL have anything to do with Debian mirrors being MITM? Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401456195.8866.123289337.07259...@webmail.messagingengine.com
Re: Debian mirrors and MITM
On Fri, May 30, 2014, at 11:24 PM, Michael Stone wrote: On Fri, May 30, 2014 at 11:13:31PM +1000, Alfie John wrote: As what I posted earlier, all you would need to do is to MITM the install of APT during an install. Who cares what the signatures look like since you've NOPed the checksumming code! That's why you verify the initial install media per the link I posted earlier... Well yes, that's something. But serving Debian over HTTPS would prevent the need for this. Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401456358.9280.123291613.503b4...@webmail.messagingengine.com
Re: Debian mirrors and MITM
On Fri, May 30, 2014, at 11:27 PM, Michael Stone wrote: On Fri, May 30, 2014 at 09:24:47AM -0400, Michael Stone wrote: That's why you verify the initial install media per the link I posted earlier... Oh, and those key fingerprints are on an https page for those who actually trust the CA system. That was my next question. If the fingerprints are on a HTTPS served page, then yes that seems like a valid solution. And thanks Reid Sutherland for telling me I have no clue. Much appreciated. Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401456637.10889.123292765.031db...@webmail.messagingengine.com
Re: Debian mirrors and MITM
On Fri, May 30, 2014, at 11:29 PM, Michael Stone wrote: On Fri, May 30, 2014 at 11:25:58PM +1000, Alfie John wrote: Well yes, that's something. But serving Debian over HTTPS would prevent the need for this. No, it wouldn't--you'd just have a different set of problems. Given that mirrors are distributed, it would probably be much more likely that you'd improperly rely on a compromised mirror simply because it's serving files via https. If the fingerprints where on a canonical Debian server (aka non-mirror) being served over HTTPS, then I would be happy with that too. Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401456752.11334.123293437.379eb...@webmail.messagingengine.com
Re: Debian mirrors and MITM
On Fri, May 30, 2014, at 11:37 PM, Reid Sutherland wrote: Oh, and those key fingerprints are on an https page for those who actually trust the CA system. That was my next question. If the fingerprints are on a HTTPS served page, then yes that seems like a valid solution. And thanks Reid Sutherland for telling me I have no clue. Much appreciated. In your private response to me, you didn’t. The whole point here is that Debian is already verifying the content it is receiving from any given data source. This was done from the very beginning because anyone can mirror and distribute Debian software. So unless there is a flaw with libc and libgpg, we are safe for downloading the public Debian content from anywhere. Several times (public and private) I tried to explain how the download of APT (the binary itself) on an initial Debian install could be compromised via MITM since it's over plaintext. Then the verification of packages could simply be skipped (hence NOP). I'm not sure why you're bringing libc and libgpg into the conversation. Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401457832.14998.123299485.589aa...@webmail.messagingengine.com
Re: Debian mirrors and MITM
On Sat, May 31, 2014, at 12:06 AM, micah anderson wrote: The cryptographic signatures that are validated automatically by apt. What's stopping the attacker from serving a compromised apt? apt will check that the new apt is properly signed. This entire secure artifice depends entirely on the integrity of apt, and presumably the various libraries that it depends on. Now I don't want to call into question the esteemed authors of said program, and depending libraries, but I do think that providing https mirrors gives us two distinct advantages over plain http: . in the case that there is a bug in apt, or gpg, or something else, having https would provide at minimum a minor set of defense against bulk, non-targeted quantum insert and foxacid attacks, not to mention MiTM compromises from a hostile local network Yep, already mentioned this one. This is my biggest issue. I'm beginning to this should be classified as a security bug in Debian. . keeps an adversary who may be listening on the wire from looking at what you are installing. who cares what you are installing? well it turns out that is very interesting information. If you can see that I've just installed X package, and you then just look over at our security tracker and find that this package has an exploit... It's only metadata, so who cares right? Only kidding. This is a totally legitimate scenario which I didn't think of. Nice. Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401459088.20943.123308065.4e198...@webmail.messagingengine.com
Re: Debian mirrors and MITM
On Sat, May 31, 2014, at 12:11 AM, Michael Stone wrote: On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote: Several times (public and private) I tried to explain how the download of APT (the binary itself) on an initial Debian install could be compromised via MITM since it's over plaintext. Then the verification of packages could simply be skipped (hence NOP). I'm not sure why you're bringing libc and libgpg into the conversation. You were given a solution which is cryptographically sound and with a verifiable trust path, and you're rejecting it because you simply don't like it and would rather see a different solution with a weaker trust path. I'm not sure why you're continuing this argument. I'm not rejected it. I'm pretty happy with verifying packages via checksums hosted on a canonical Debian HTTPS site. My reaction was referring to Reid Sutherland's comments telling me in private that there was nothing to fear because there are smarter people in the room looking after everything. If you want to engage in a serious discussion about enhancing the current implementation or adding additional options, I'd suggest that you first study how the current implementation works, why it was implemented the way it was, the constraints inherent in the distributed mirror model, etc. I'm definitely wanting to engage in serious discussion. I'm an avid Debian user and am wanting to protect its users. This *is* the Debian security mailing list after all right? All I was trying to do is ask questions as to why it is currently not being HTTPS-enforced and I got flamed for it. I understand the issue of distributing to mirrors and then the problem of trusting each other, but that's another discussion entirely. Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401460379.27062.123315561.30584...@webmail.messagingengine.com
Re: Debian mirrors and MITM
On Sat, May 31, 2014, at 12:39 AM, Michael Stone wrote: On Sat, May 31, 2014 at 12:32:59AM +1000, Alfie John wrote: I'm definitely wanting to engage in serious discussion. I'm an avid Debian user and am wanting to protect its users. This *is* the Debian security mailing list after all right? All I was trying to do is ask questions as to why it is currently not being HTTPS-enforced and I got flamed for it. Well, you haven't shown any sign of having studied the publically available documentation or checked the public archives relating to the design decisions. Yes it's the debian-security mailing list, but that doesn't mean that it's scalable for debian to provide a personal walkthrough of the entire package signing architecture for everyone who sends an email to the list, does it? I haven't read the docs. And you right, it's not a scalable solution. Sorry for asking questions. Alfie -- Alfie John alf...@fastmail.fm -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1401461172.30245.123322097.6b61a...@webmail.messagingengine.com