On 03/05/15 14:14, Patrick Schleizer wrote: >> I used the footnote numbers to reference the attacks. > > I am afraid, this might cause some confusion. The numbers you have used > won't stay stable. Those were autogenerated numbers of footnotes. As > footnotes change, these numbers change. To keep your post > understandable, I created a snapshot before modifying footnotes: > http://www.webcitation.org/6Wo9Cb2ox > > However, numbers (1), (2), (3), etc. that won't be automatically > changed, have just been added now.
HA, my fault, sorry about that. > > Actually, I was aware of it. The issue is, signing is not everything. > Signatures need a validity range. Otherwise mirrors can also show half a > year etc. old signatures that are valid. See also: > http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html > >> attacks 3, 11, and 12. > > There was no attack 3. Now, before we talk past each other, would you > mind to repost by referencing attack by name or by their new, "real" > numbers? Well now there is an attack 3 :-) webrsync-gpg would ALERT the user in the case of attack 3. Portage checks the timestamp file from inside the gpg signed snapshot and alerts the user if the last sync was too long ago. In the case of a freeze attack, it should alert the user that the sync is old. Not that it fixes the attack, but it won't go unnoticed for long. Likewise, webrsync-gpg would also completely prevent 7 and 8. The snapshot is the entire tree, so it is not possible to "mix and match" without modifying the signed tarball. Nor would it be possible to provide the user with the wrong package since the checksums from inside the signed portage tarball wouldn't match if the source package was traded for a different one. Attack 8 shouldn't work either, as the checksums for everything are protected in the gpg signed portage tarball it should not be possible to trade out a source tarball for a different one. While gentoo doesn't typically use binary packages, it does have the support for it. Nothing in the binary package installation is protected by signatures, so I would expect this kind of attack to be possible when installing a binary package. Might be non-trivial to do, but certainly possible. Attack 9 won't work either, assuming the user can avoid the freeze attack (3) the user will have an up to date knowledge of what it expects on the mirrors and will simply ask other mirrors for the right file in case of 404 or bad checksum. tl;dr webrsync-gpg is a built in feature of the package manager which OPTIONALLY adds a significant amount of security against the attacks described on your website. This is not currently the default setting, however, it is described in many hardening guides for gentoo and widely used among the security conscious. -Zero_Chaos
signature.asc
Description: OpenPGP digital signature
