On May 30, 2014, at 10:06 AM, micah anderson wrote:
Kurt Roeckx k...@roeckx.be writes:
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors
On Jun 2, 2014, at 9:29 AM, Jann Horn wrote:
On Fri, May 30, 2014 at 10:06:06AM -0400, micah anderson wrote:
Now I don't want to call into question the esteemed authors of said
program, and depending libraries, but I do think that providing https
mirrors gives us two distinct advantages over
On Jul 3, 2014, at 11:05 AM, Hans-Christoph Steiner wrote:
On May 30, 2014, at 10:06 AM, micah anderson wrote:
Kurt Roeckx k...@roeckx.be writes:
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at
On Thu, Jul 03, 2014 at 11:05:17AM -0400, Hans-Christoph Steiner wrote:
I definitely agree there are legitimate concerns that using HTTPS on apt
mirrors would help, and people who suggest otherwise are out of date on what
the threats are. I think the integrity of the package itself is not
On Jul 3, 2014, at 11:09 AM, Hans-Christoph Steiner h...@at.or.at wrote:
On Jun 2, 2014, at 9:29 AM, Jann Horn wrote:
On Fri, May 30, 2014 at 10:06:06AM -0400, micah anderson wrote:
Now I don't want to call into question the esteemed authors of said
program, and depending libraries, but I
On Jul 3, 2014, at 11:55 AM, Reid Sutherland wrote:
On Jul 3, 2014, at 11:09 AM, Hans-Christoph Steiner h...@at.or.at wrote:
On Jun 2, 2014, at 9:29 AM, Jann Horn wrote:
On Fri, May 30, 2014 at 10:06:06AM -0400, micah anderson wrote:
Now I don't want to call into question the esteemed
Hans-Christoph Steiner h...@at.or.at writes:
I should add: apt-transport-tor is a great project to improve this situation
as well that is probably more secure than HTTPS, but at a cost of probably
much slower download speeds. Using an apt mirror with an onion address would
entirely
On Jul 3, 2014, at 11:52 AM, Michael Stone wrote:
On Thu, Jul 03, 2014 at 11:05:17AM -0400, Hans-Christoph Steiner wrote:
I definitely agree there are legitimate concerns that using HTTPS on apt
mirrors would help, and people who suggest otherwise are out of date on what
the threats are.
On Jul 3, 2014, at 12:10 PM, Hans-Christoph Steiner wrote:
On Jul 3, 2014, at 11:52 AM, Michael Stone wrote:
On Thu, Jul 03, 2014 at 11:05:17AM -0400, Hans-Christoph Steiner wrote:
I definitely agree there are legitimate concerns that using HTTPS on apt
mirrors would help, and people
On Jul 3, 2014, at 12:25 PM, Hans-Christoph Steiner h...@at.or.at wrote:
As for how to manage making HTTPS by default, this does not require every
mirror buying HTTPS certificates every year from Certificate Authorities.
There are workable solutions based on self-signed certificates.
In
On 07/03/2014 12:38 PM, Reid Sutherland wrote:
On Jul 3, 2014, at 12:25 PM, Hans-Christoph Steiner h...@at.or.at wrote:
As for how to manage making HTTPS by default, this does not require every
mirror buying HTTPS certificates every year from Certificate Authorities.
There are workable
On Jul 3, 2014, at 12:46 PM, Hans-Christoph Steiner h...@at.or.at wrote:
SSH uses entirely unsigned keys, and it has proven a lot more reliable than
HTTPS/TLS. You use HTTPS/TLS keys the same way as SSH, but TLS requires
signed keys, self-signed works. The signatures are only worth the
On 07/03/2014 12:58 PM, Reid Sutherland wrote:
On Jul 3, 2014, at 12:46 PM, Hans-Christoph Steiner h...@at.or.at wrote:
SSH uses entirely unsigned keys, and it has proven a lot more reliable than
HTTPS/TLS. You use HTTPS/TLS keys the same way as SSH, but TLS requires
signed keys,
* Hans-Christoph Steiner h...@at.or.at [140703 18:10]:
You are correct that HTTPS would not entirely address #2, but it does
improve the situation over HTTP. For example, an ISP, network operator,
or government could block an entire mirror or all mirrors by redirecting
requests to their own
On Thu, Jul 03, 2014 at 12:46:45PM -0400, Hans-Christoph Steiner wrote:
Google uses SPKI pinning heavily, for example,
but they still use CA-signed certificates so their HTTPS works with Firefox,
IE, Opera, etc.
Yes, and MS does similar. The difference is, they own their
infrastructure and
On 07/03/2014 03:08 PM, Michael Stone wrote:
On Thu, Jul 03, 2014 at 12:46:45PM -0400, Hans-Christoph Steiner wrote:
Google uses SPKI pinning heavily, for example,
but they still use CA-signed certificates so their HTTPS works with Firefox,
IE, Opera, etc.
Yes, and MS does similar. The
On 07/03/2014 02:26 PM, Bernhard R. Link wrote:
* Hans-Christoph Steiner h...@at.or.at [140703 18:10]:
You are correct that HTTPS would not entirely address #2, but it does
improve the situation over HTTP. For example, an ISP, network operator,
or government could block an entire mirror or
On Fri, May 30, 2014 at 10:06:06AM -0400, micah anderson wrote:
Now I don't want to call into question the esteemed authors of said
program, and depending libraries, but I do think that providing https
mirrors gives us two distinct advantages over plain http:
. in the case that there
On Fri, 30 May 2014, Joey Hess wrote:
Alfie John wrote:
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
https://mirrors.kernel.org/debian is the only one I know of.
It would be good to have a few more, because there are
Peter Palfrader:
On Fri, 30 May 2014, Joey Hess wrote:
Alfie John wrote:
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
https://mirrors.kernel.org/debian is the only one I know of.
It would be good to have a few more, because
Joey Hess: [...] there are situations where
debootstrap is used without debian-archive-keyring being available, [...]
Please elaborate, which situations are these?
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 31-05-14 12:55, Patrick Schleizer wrote:
Joey Hess: [...] there are situations where
debootstrap is used without debian-archive-keyring being
available, [...]
Please elaborate, which situations are these?
Let me answer this: using
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
verifying them with third parties, what's stopping the MD5s being
compromised too?
The
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
verifying them with third parties,
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
What's stopping the attacker from serving a compromised apt?
https://www.debian.org/CD/verify
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
On Fri, May 30, 2014, at 10:43 PM, Alfie John wrote:
The cryptographic signatures that are validated automatically by apt.
What's stopping the attacker from serving a compromised apt?
Thinking about this more, If I wanted to target a Debian system via
MITM, serving a compromised APT would
On 30/05/14 13:43, Alfie John wrote:
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
On Fri, May 30, 2014, at 10:49 PM, Chris Boot wrote:
The cryptographic signatures that are validated automatically by apt.
What's stopping the attacker from serving a compromised apt?
Oh god not this again.
How exactly does using HTTPS solve this particular problem, anyway? If
we
On 30/05/2014 8:52 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
What's stopping the attacker from serving a compromised apt?
https://www.debian.org/CD/verify
That will cover the installer, for the packages see:
https://wiki.debian.org/SecureApt
In Oct 2013 a similar discussion startet
https://lists.debian.org/debian-security/2013/10/msg00027.html
On 30. Mai 2014 14:15:01 MESZ, Alfie John alf...@fastmail.fm wrote:
Hi guys,
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
The
On 2014-05-30 13:43, Alfie John wrote:
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also
On Fri, May 30, 2014, at 11:08 PM, Adam D. Barratt wrote:
The cryptographic signatures that are validated automatically by apt.
What's stopping the attacker from serving a compromised apt?
How would you get the client's system to install it in the first place?
(More specifically, how
On Fri, May 30, 2014, at 11:03 PM, Estelmann, Christian wrote:
In Oct 2013 a similar discussion startet
https://lists.debian.org/debian-security/2013/10/msg00027.html
Thanks for the link, but that discussion went nowhere pretty fast.
Alfie
--
Alfie John
alf...@fastmail.fm
--
To
On May 30, 2014, at 9:13 AM, Alfie John alf...@fastmail.fm wrote:
On Fri, May 30, 2014, at 11:08 PM, Adam D. Barratt wrote:
The cryptographic signatures that are validated automatically by apt.
What's stopping the attacker from serving a compromised apt?
How would you get the client's
On Fri, May 30, 2014, at 11:17 PM, Reid Sutherland wrote:
As what I posted earlier, all you would need to do is to MITM the
install of APT during an install. Who cares what the signatures look
like since you've NOPed the checksumming code!
So OpenSSL can be flawed and nobody bats an eye,
On Fri, May 30, 2014 at 11:13:31PM +1000, Alfie John wrote:
As what I posted earlier, all you would need to do is to MITM the
install of APT during an install. Who cares what the signatures look
like since you've NOPed the checksumming code!
That's why you verify the initial install media per
On Fri, May 30, 2014, at 11:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 11:13:31PM +1000, Alfie John wrote:
As what I posted earlier, all you would need to do is to MITM the
install of APT during an install. Who cares what the signatures look
like since you've NOPed the checksumming
Yes, but I think this time it will not be better...
Some (most?) mirrors are supporting https. If you want to use https just try
which mirrors are supporting it.
ftp.us.d.o will not work very good because of the DNS round robin.
On 30. Mai 2014 15:16:29 MESZ, Alfie John alf...@fastmail.fm
On Fri, May 30, 2014 at 09:24:47AM -0400, Michael Stone wrote:
That's why you verify the initial install media per the link I posted
earlier...
Oh, and those key fingerprints are on an https page for those who
actually trust the CA system.
--
To UNSUBSCRIBE, email to
On Fri, May 30, 2014 at 11:25:58PM +1000, Alfie John wrote:
Well yes, that's something. But serving Debian over HTTPS would prevent
the need for this.
No, it wouldn't--you'd just have a different set of problems. Given that
mirrors are distributed, it would probably be much more likely that
On Fri, May 30, 2014, at 11:27 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 09:24:47AM -0400, Michael Stone wrote:
That's why you verify the initial install media per the link I posted
earlier...
Oh, and those key fingerprints are on an https page for those who
actually trust the CA
On Fri, May 30, 2014, at 11:29 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 11:25:58PM +1000, Alfie John wrote:
Well yes, that's something. But serving Debian over HTTPS would prevent
the need for this.
No, it wouldn't--you'd just have a different set of problems. Given that
mirrors
On May 30, 2014, at 9:30 AM, Alfie John alf...@fastmail.fm wrote:
On Fri, May 30, 2014, at 11:27 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 09:24:47AM -0400, Michael Stone wrote:
That's why you verify the initial install media per the link I posted
earlier...
Oh, and those key
On Fri, May 30, 2014, at 11:37 PM, Reid Sutherland wrote:
Oh, and those key fingerprints are on an https page for those who
actually trust the CA system.
That was my next question. If the fingerprints are on a HTTPS served
page, then yes that seems like a valid solution.
And thanks
Kurt Roeckx k...@roeckx.be writes:
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors seem like an obvious target for governments to
MITM.
On May 30, 2014, at 9:50 AM, Alfie John alf...@fastmail.fm wrote:
The whole point here is that Debian is already verifying the content it
is receiving from any given data source. This was done from the very
beginning because anyone can mirror and distribute Debian software. So
unless there
On Sat, May 31, 2014, at 12:06 AM, micah anderson wrote:
The cryptographic signatures that are validated automatically by
apt.
What's stopping the attacker from serving a compromised apt?
apt will check that the new apt is properly signed.
This entire secure artifice depends
On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote:
Several times (public and private) I tried to explain how the download
of APT (the binary itself) on an initial Debian install could be
compromised via MITM since it's over plaintext. Then the verification of
packages could simply be
On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote:
Several times (public and private) I tried to explain how the download
of APT (the binary itself) on an initial Debian install could be
compromised via MITM since it's over plaintext. Then the verification of
packages could simply be
On Sat, May 31, 2014 at 12:11:28AM +1000, Alfie John wrote:
On Sat, May 31, 2014, at 12:06 AM, micah anderson wrote:
. keeps an adversary who may be listening on the wire from
looking at what you are installing. who cares what you are
installing? well it turns out
On Sat, May 31, 2014 at 12:32:59AM +1000, Alfie John wrote:
I'm definitely wanting to engage in serious discussion. I'm an avid
Debian user and am wanting to protect its users. This *is* the Debian
security mailing list after all right? All I was trying to do is ask
questions as to why it is
On Sat, May 31, 2014, at 12:11 AM, Michael Stone wrote:
On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote:
Several times (public and private) I tried to explain how the
download of APT (the binary itself) on an initial Debian install
could be compromised via MITM since it's over
I have to laugh at this, my phone was going off constantly this morning,
and I was thinking I don't have this much email normally! Looked over
the discussion and thought, didn't this discussion happen recently?
It was something I was randomly thinking about one day too, but really
plain-text
On May 30, 2014, at 10:11 AM, Alfie John alf...@fastmail.fm wrote:
. keeps an adversary who may be listening on the wire from
looking at what you are installing. who cares what you are
installing? well it turns out that is very interesting
information. If
On Sat, May 31, 2014, at 12:39 AM, Michael Stone wrote:
On Sat, May 31, 2014 at 12:32:59AM +1000, Alfie John wrote:
I'm definitely wanting to engage in serious discussion. I'm an avid
Debian user and am wanting to protect its users. This *is* the Debian
security mailing list after all right?
On Sat, May 31, 2014 at 12:46:12AM +1000, Alfie John wrote:
Sorry for asking questions.
Don't apologize for asking questions, it's perfectly reasonable to do so
and you'll find that many people in debian are more than happy to answer
questions. Just make sure that you put in enough effort
On Fri, May 30, 2014 at 10:03 AM, Hans Spaans h...@dailystuff.nl wrote:
What basically is missing for a running system is repository signing key
pinning for packages that would prevent that a third party repository
could upgrade components provided by the base OS. How many of us didn't
added
On 30.05.2014 21:35, Jeremie Marguerie wrote:
To protect openssh-server you would need to prevent modification of
its dependency. But the PPA could just install a program that
overrides the openssh-server manually (without doing that from APT).
In this case, unless you run debsums you wouldn't
On Fri, May 30, 2014 at 10:35:58AM -0700, Jeremie Marguerie wrote:
In the end, the PPA can do pretty much whatever it wants from your
system and this is scary. This is a hard problem to protect against
and the only protection I see is... only install PPAs you can trust.
Yup; any pinning
Alfie John wrote:
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
https://mirrors.kernel.org/debian is the only one I know of.
It would be good to have a few more, because there are situations where
debootstrap is used without
Le 30/05/2014 21:30, Joey Hess a écrit :
Alfie John wrote:
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
https://mirrors.kernel.org/debian is the only one I know of.
It would be good to have a few more, because there are
On Fri, 30 May 2014, Erwan David wrote:
Le 30/05/2014 21:30, Joey Hess a écrit :
Alfie John wrote:
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
https://mirrors.kernel.org/debian is the only one I know of.
It would be good
Le 30/05/2014 22:02, Henrique de Moraes Holschuh a écrit :
On Fri, 30 May 2014, Erwan David wrote:
Le 30/05/2014 21:30, Joey Hess a écrit :
Alfie John wrote:
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
On Fri, May 30, 2014 at 09:43:47PM +0200, Erwan David wrote:
Note that at least debian.org DNS is segned by DNSSEC and DANE is used,
which allows to check that the certificate used by a debian.org site is
the real one.
We're not at the point where that can be relied on in the real world.
On Fri, May 30, 2014 at 8:15 PM, Alfie John wrote:
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
Then you aren't trying hard enough, several of them support https,
these ones at least:
https://mirrors.kernel.org/debian/
66 matches
Mail list logo