Hi guys,
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
verifying them with third parties,
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
verifying them with third parties, what's stopping the MD5s being
compromised too?
The
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
verifying them with third parties,
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
What's stopping the attacker from serving a compromised apt?
https://www.debian.org/CD/verify
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
On Fri, May 30, 2014, at 10:43 PM, Alfie John wrote:
The cryptographic signatures that are validated automatically by apt.
What's stopping the attacker from serving a compromised apt?
Thinking about this more, If I wanted to target a Debian system via
MITM, serving a compromised APT would
On 30/05/14 13:43, Alfie John wrote:
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
On Fri, May 30, 2014, at 10:49 PM, Chris Boot wrote:
The cryptographic signatures that are validated automatically by apt.
What's stopping the attacker from serving a compromised apt?
Oh god not this again.
How exactly does using HTTPS solve this particular problem, anyway? If
we
On 30/05/2014 8:52 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
What's stopping the attacker from serving a compromised apt?
https://www.debian.org/CD/verify
That will cover the installer, for the packages see:
https://wiki.debian.org/SecureApt
In Oct 2013 a similar discussion startet
https://lists.debian.org/debian-security/2013/10/msg00027.html
On 30. Mai 2014 14:15:01 MESZ, Alfie John alf...@fastmail.fm wrote:
Hi guys,
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
The
On 2014-05-30 13:43, Alfie John wrote:
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also
On Fri, May 30, 2014, at 11:08 PM, Adam D. Barratt wrote:
The cryptographic signatures that are validated automatically by apt.
What's stopping the attacker from serving a compromised apt?
How would you get the client's system to install it in the first place?
(More specifically, how
On Fri, May 30, 2014, at 11:03 PM, Estelmann, Christian wrote:
In Oct 2013 a similar discussion startet
https://lists.debian.org/debian-security/2013/10/msg00027.html
Thanks for the link, but that discussion went nowhere pretty fast.
Alfie
--
Alfie John
alf...@fastmail.fm
--
To
On May 30, 2014, at 9:13 AM, Alfie John alf...@fastmail.fm wrote:
On Fri, May 30, 2014, at 11:08 PM, Adam D. Barratt wrote:
The cryptographic signatures that are validated automatically by apt.
What's stopping the attacker from serving a compromised apt?
How would you get the client's
On Fri, May 30, 2014, at 11:17 PM, Reid Sutherland wrote:
As what I posted earlier, all you would need to do is to MITM the
install of APT during an install. Who cares what the signatures look
like since you've NOPed the checksumming code!
So OpenSSL can be flawed and nobody bats an eye,
On Fri, May 30, 2014 at 11:13:31PM +1000, Alfie John wrote:
As what I posted earlier, all you would need to do is to MITM the
install of APT during an install. Who cares what the signatures look
like since you've NOPed the checksumming code!
That's why you verify the initial install media per
On Fri, May 30, 2014, at 11:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 11:13:31PM +1000, Alfie John wrote:
As what I posted earlier, all you would need to do is to MITM the
install of APT during an install. Who cares what the signatures look
like since you've NOPed the checksumming
Yes, but I think this time it will not be better...
Some (most?) mirrors are supporting https. If you want to use https just try
which mirrors are supporting it.
ftp.us.d.o will not work very good because of the DNS round robin.
On 30. Mai 2014 15:16:29 MESZ, Alfie John alf...@fastmail.fm
On Fri, May 30, 2014 at 09:24:47AM -0400, Michael Stone wrote:
That's why you verify the initial install media per the link I posted
earlier...
Oh, and those key fingerprints are on an https page for those who
actually trust the CA system.
--
To UNSUBSCRIBE, email to
On Fri, May 30, 2014 at 11:25:58PM +1000, Alfie John wrote:
Well yes, that's something. But serving Debian over HTTPS would prevent
the need for this.
No, it wouldn't--you'd just have a different set of problems. Given that
mirrors are distributed, it would probably be much more likely that
On Fri, May 30, 2014, at 11:27 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 09:24:47AM -0400, Michael Stone wrote:
That's why you verify the initial install media per the link I posted
earlier...
Oh, and those key fingerprints are on an https page for those who
actually trust the CA
On Fri, May 30, 2014, at 11:29 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 11:25:58PM +1000, Alfie John wrote:
Well yes, that's something. But serving Debian over HTTPS would prevent
the need for this.
No, it wouldn't--you'd just have a different set of problems. Given that
mirrors
On May 30, 2014, at 9:30 AM, Alfie John alf...@fastmail.fm wrote:
On Fri, May 30, 2014, at 11:27 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 09:24:47AM -0400, Michael Stone wrote:
That's why you verify the initial install media per the link I posted
earlier...
Oh, and those key
On Fri, May 30, 2014, at 11:37 PM, Reid Sutherland wrote:
Oh, and those key fingerprints are on an https page for those who
actually trust the CA system.
That was my next question. If the fingerprints are on a HTTPS served
page, then yes that seems like a valid solution.
And thanks
Kurt Roeckx k...@roeckx.be writes:
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors seem like an obvious target for governments to
MITM.
On May 30, 2014, at 9:50 AM, Alfie John alf...@fastmail.fm wrote:
The whole point here is that Debian is already verifying the content it
is receiving from any given data source. This was done from the very
beginning because anyone can mirror and distribute Debian software. So
unless there
On Sat, May 31, 2014, at 12:06 AM, micah anderson wrote:
The cryptographic signatures that are validated automatically by
apt.
What's stopping the attacker from serving a compromised apt?
apt will check that the new apt is properly signed.
This entire secure artifice depends
On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote:
Several times (public and private) I tried to explain how the download
of APT (the binary itself) on an initial Debian install could be
compromised via MITM since it's over plaintext. Then the verification of
packages could simply be
On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote:
Several times (public and private) I tried to explain how the download
of APT (the binary itself) on an initial Debian install could be
compromised via MITM since it's over plaintext. Then the verification of
packages could simply be
On Sat, May 31, 2014 at 12:11:28AM +1000, Alfie John wrote:
On Sat, May 31, 2014, at 12:06 AM, micah anderson wrote:
. keeps an adversary who may be listening on the wire from
looking at what you are installing. who cares what you are
installing? well it turns out
On Sat, May 31, 2014 at 12:32:59AM +1000, Alfie John wrote:
I'm definitely wanting to engage in serious discussion. I'm an avid
Debian user and am wanting to protect its users. This *is* the Debian
security mailing list after all right? All I was trying to do is ask
questions as to why it is
On Sat, May 31, 2014, at 12:11 AM, Michael Stone wrote:
On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote:
Several times (public and private) I tried to explain how the
download of APT (the binary itself) on an initial Debian install
could be compromised via MITM since it's over
I have to laugh at this, my phone was going off constantly this morning,
and I was thinking I don't have this much email normally! Looked over
the discussion and thought, didn't this discussion happen recently?
It was something I was randomly thinking about one day too, but really
plain-text
On May 30, 2014, at 10:11 AM, Alfie John alf...@fastmail.fm wrote:
. keeps an adversary who may be listening on the wire from
looking at what you are installing. who cares what you are
installing? well it turns out that is very interesting
information. If
On Sat, May 31, 2014, at 12:39 AM, Michael Stone wrote:
On Sat, May 31, 2014 at 12:32:59AM +1000, Alfie John wrote:
I'm definitely wanting to engage in serious discussion. I'm an avid
Debian user and am wanting to protect its users. This *is* the Debian
security mailing list after all right?
On Sat, May 31, 2014 at 12:46:12AM +1000, Alfie John wrote:
Sorry for asking questions.
Don't apologize for asking questions, it's perfectly reasonable to do so
and you'll find that many people in debian are more than happy to answer
questions. Just make sure that you put in enough effort
On Fri, May 30, 2014 at 10:03 AM, Hans Spaans h...@dailystuff.nl wrote:
What basically is missing for a running system is repository signing key
pinning for packages that would prevent that a third party repository
could upgrade components provided by the base OS. How many of us didn't
added
On 30.05.2014 21:35, Jeremie Marguerie wrote:
To protect openssh-server you would need to prevent modification of
its dependency. But the PPA could just install a program that
overrides the openssh-server manually (without doing that from APT).
In this case, unless you run debsums you wouldn't
On Fri, May 30, 2014 at 10:35:58AM -0700, Jeremie Marguerie wrote:
In the end, the PPA can do pretty much whatever it wants from your
system and this is scary. This is a hard problem to protect against
and the only protection I see is... only install PPAs you can trust.
Yup; any pinning
Quoting Jeremie Marguerie jere...@marguerie.org:
Thanks for bringing that issue! I feel the same way when I install a
packet from a non-official PPA.
Unfortunately, every package can do anything: pre-inst, post-inst,
pre-rm, post-rm run as root. If you don't trust a PPA the same way
you trust
Alfie John wrote:
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
https://mirrors.kernel.org/debian is the only one I know of.
It would be good to have a few more, because there are situations where
debootstrap is used without
Le 30/05/2014 21:30, Joey Hess a écrit :
Alfie John wrote:
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
https://mirrors.kernel.org/debian is the only one I know of.
It would be good to have a few more, because there are
On Fri, 30 May 2014, Erwan David wrote:
Le 30/05/2014 21:30, Joey Hess a écrit :
Alfie John wrote:
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
https://mirrors.kernel.org/debian is the only one I know of.
It would be good
Le 30/05/2014 22:02, Henrique de Moraes Holschuh a écrit :
On Fri, 30 May 2014, Erwan David wrote:
Le 30/05/2014 21:30, Joey Hess a écrit :
Alfie John wrote:
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
On Fri, May 30, 2014 at 09:43:47PM +0200, Erwan David wrote:
Note that at least debian.org DNS is segned by DNSSEC and DANE is used,
which allows to check that the certificate used by a debian.org site is
the real one.
We're not at the point where that can be relied on in the real world.
On Sat, May 31, 2014 at 2:41 AM, W. Martin Borgert wrote:
in a VM or a container (not sure, whether a docker container is
considered safe enough, but chroot is not sufficient).
One of the Debian Linux kernel package maintainers doesn't consider
containers to be secure enough to rely solely on
On Fri, May 30, 2014 at 8:15 PM, Alfie John wrote:
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
Then you aren't trying hard enough, several of them support https,
these ones at least:
https://mirrors.kernel.org/debian/
47 matches
Mail list logo