On 03/06/15 08:53, Mark Kubacki wrote: > 2015-03-06 1:56 GMT+01:00 Rick "Zero_Chaos" Farina <zeroch...@gentoo.org>: >> >> tl;dr webrsync-gpg is a built in feature of the package manager which >> OPTIONALLY adds a significant amount of security against the attacks >> described on your website. This is not currently the default setting, >> however, it is described in many hardening guides for gentoo and widely >> used among the security conscious. > > Without numbers backing that up this is speculation.
5,7,16,38,42. There are some numbers to back up what I'm saying. I have been doing security work for over 15 years and I'm a professional pen-tester. If you want to read the portage code to verify what I said that's fine, but I'm reasonably confident I distilled what portage does into english. > > Given the default settings (without webrsync-gpg)…: > >> (8) Wrong software installation. > > Observe the DNS requests for the rsync- or webrsync mirror. They're > not encrypted and give you a nice heads-up. Yup, dns is basically never encrypted, this is not new information or a new attack. > > A. (data in transit) It's almost never HTTPS and/or without > authentication, so you can easily proceed to hijacking the connection. > - Primed that way (DNS) insert a new rule into a router (or > nameserver) along the path or within the DC to redirect the > transaction. (See "quantum insert".) Yup, this was discussed, however, it doesn't matter, and I'll explain why. The portage tree itself is a tarball with a signature attached, that means that short of coercion, the information in the portage tree should be correct (in the case of webrsync-gpg). The Manifest file for each package contains a sha256, sha512, and whirlpool hash for each file (including the source tarballs which would be downloaded to install) and ALL of them must match. Good luck modifying the file and getting all three hashs to match, I would suggest that is statistically impossible. Yes, an attacker could easily pass any file they like, but portage would fail to validate it and refuse to continue. > > B. (data at rest) Bribe or coerce the owner of the (portage tree) > mirror. Manifests and ebuilds are not centrally signed and there is no > authoritative "signing transparency"/record (see "certificate > transparency"). > Only the portage tree is centrally signed, and currently the manifest signatures aren't even verified automatically at this point. Yes, I completely agree that a gentoo dev could be coerced or bribed to add malicious code to the repository which would then get signed and shipped with the secure tarball. This avenue of attack is very difficult to stop. If would be cool to have some kind of automated check for malicious codes, however, I doubt it would be all that effective. -Zero
signature.asc
Description: OpenPGP digital signature
