Re: SSL for debian.org/security?
Hello, I would use Tor hidden service instead of SSL. Greetings from Bulgaria, Nikolay Kubarelov On 10/29/2013 03:31 AM, Mark Haase wrote: It's a bit ironic that the Debian security site doesn't offer SSL, right? If an attacker can MITM an organization that uses Debian, then they can MITM the Debian security page and control what security bulletins that organization can access. I'm also concerned because this same domain hosts automated security content, e.g. http://www.debian.org/security/oval/oval-definitions-2013.xml. In the future, organizations may be running software that automatically makes decisions about security policies based on the SCAP content in files such as this. If an attacker can MITM this automated security mechanism, then the attacker can interfere with or blind the organization's automated security tools. I'd like to suggest that Debian should at least use SSL on their security site, even if nowhere else. Cheer, -- Mark E. Haase CISSP, CEH Sr. Security Software Engineer www.lunarline.com http://www.lunarline.com 3300 N Fairfax Drive, Suite 308, Arlington, VA 22201
Re: SSL for debian.org/security?
On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com wrote: I would use Tor hidden service instead of SSL. Wait: What? Can't tell if serious. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnxcxogd4jmaqys27zzsorfz-g8dsa_71sabgfqhchm...@mail.gmail.com
Re: SSL for debian.org/security?
On 29/10/13 10:44, Jordon Bedwell wrote: On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com wrote: I would use Tor hidden service instead of SSL. Wait: What? Can't tell if serious. And then again: http://yro.slashdot.org/story/13/08/04/2054208/half-of-tor-sites-compromised-including-tormail ^^ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/526f855d.1080...@gmail.com
Re: SSL for debian.org/security?
Jordon Bedwell: On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com wrote: I would use Tor hidden service instead of SSL. Wait: What? Can't tell if serious. Why shouldn't that be serious? Tor hidden services can not only be used to hide the location of a server, but they also provide alternative end-to-end encryption, independent from SSL CA's. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/526f8881.2070...@riseup.net
Re: SSL for debian.org/security?
Tormen: On 29/10/13 10:44, Jordon Bedwell wrote: On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com wrote: I would use Tor hidden service instead of SSL. Wait: What? Can't tell if serious. And then again: http://yro.slashdot.org/story/13/08/04/2054208/half-of-tor-sites-compromised-including-tormail ^^ That is a totally unrelated story. No argument against hidden services at all. - They took down a hidden service host violating laws - not of concern for Debian, since not violating laws. - They didn't break Tor hidden services, they broke the server software of someone who allowed anyone to run arbitrary php scripts. - Only one hidden service which provides free hidden hosting to others was taken down. Anyone hosting it's own hidden service was unaffected. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/526f8887.9040...@riseup.net
Re: SSL for debian.org/security?
On 29-10-2013 07:29, Nikolay Kubarelov wrote: I would use Tor hidden service instead of SSL. Tor is too slow and you must install additional software. A better idea is offer both SSL and a Tor Hidden Service. You choose which use. Do not forget Tor encryption is not considered secure anymore. On 29-10-2013 07:52, Tormen wrote: And then again: http://yro.slashdot.org/story/13/08/04/2054208/half-of-tor-sites-compromised-including-tormail ^^ Half of Tor Hidden Services are compromised. So Debian THS will be also compromised. I cannot see your point.
Re: SSL for debian.org/security?
Its not tor itself that was compromised but the version of Firefox bundled with the Tor browser bundle. They used a 0day to install a tracking cookie in FF. Van: Djones Boni Verzonden: dinsdag 29 oktober 2013 11:09 Aan: debian-security@lists.debian.org On 29-10-2013 07:29, Nikolay Kubarelov wrote: I would use Tor hidden service instead of SSL. Tor is too slow and you must install additional software. A better idea is offer both SSL and a Tor Hidden Service. You choose which use. Do not forget Tor encryption is not considered secure anymore. On 29-10-2013 07:52, Tormen wrote: And then again: http://yro.slashdot.org/story/13/08/04/2054208/half-of-tor-sites-compromised-including-tormail ^^ Half of Tor Hidden Services are compromised. So Debian THS will be also compromised. I cannot see your point.
Re: SSL for debian.org/security?
On 29-10-2013 08:36, burgers@gmail.com wrote: Its not tor itself that was compromised but the version of Firefox bundled with the Tor browser bundle. They used a 0day to install a tracking cookie in FF. The FF bug exploited by Freedom Hosting script was not a 0day one. There was a updated TBB which fixed it a month before the attack (only MSOSs were exploited with that script). If anyone use TBB to access Debian hidden service to verify security updates and TBB leak information to LEA. What could they do? Aham! He uses Debian. Let's arrest him! A Debian THS is a good idea for the security it provides, not for anonymity or down rate. It would be harder to someone MITM and hide updates from you. That is why Debian should use SSL (and THS).
Re: SSL for debian.org/security?
Djones Boni: A Debian THS is a good idea for the security it provides, not for anonymity or down rate. It would be harder to someone MITM and hide updates from you. That is why Debian should use SSL (and THS). Downloading apt-get updates over Tor hidden services would be awesome! - Even when an adversary found a way to exploit apt-get's OpenPGP verification, the exploit could not be used, because Tor hidden services implement its own encryption/authentication. - An adversary could not even know that someone is downloading apt-get updates. - We obscure more internet traffic, good for Tor (diversifying user base and use cases), adding more hay to the haystack. - It becomes more difficult to mount rollback/freeze attacks. We have the valid-until field, but Tor HS would be a nice as defense in depth. And before someone says, the Tor network does not want such kind of traffic... Having my Whonix (a Debian derivative) hat on: There is no such issue. One can use Tor to download updates. We asked torproject.org, if it is okay to download operating system updates over Tor, see [1] [2]. Andrew Lewman (Executive Director, Director, press contact [3]) does also download a lot of updates over Tor and did not complain. [4] [1] https://lists.torproject.org/pipermail/tor-talk/2012-March/023486.html [2] https://lists.torproject.org/pipermail/tor-talk/2012-March/subject.html#23507 [3] https://www.torproject.org/about/corepeople.html.en [4] https://lists.torproject.org/pipermail/tor-talk/2012-March/023493.html -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/526fa1a2.5080...@riseup.net
Re: SSL for debian.org/security?
Djones Boni: A better idea is offer both SSL and a Tor Hidden Service. You choose which use. Yes, having both is better. Only relying on Tor Hidden Services wouldn't be a good idea. Offering as an option would be awesome! Do not forget Tor encryption is not considered secure anymore. There are of course a lot opportunities in Tor and Hidden Services for improvements, but please consider, that there are no reports that either Tor or Hidden Services were ever successfully deanonymized.* The latest information we got is still We will never be able to de-anonymize all Tor users all the time [1] - so it's worth going for it. [1] http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document * detective work and/or exploiting the server or client software behind Tor is another story -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/526fa1a8.6040...@riseup.net
Re: SSL for debian.org/security?
On Tue, 29 Oct 2013 10:05:53 + adrelanos adrela...@riseup.net wrote: Jordon Bedwell: On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com wrote: I would use Tor hidden service instead of SSL. Wait: What? Can't tell if serious. Why shouldn't that be serious? Tor hidden services can not only be used to hide the location of a server, but they also provide alternative end-to-end encryption, independent from SSL CA's. The OP was asking for authentication, not encryption. Celejar -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131029075643.3cdeed709eda3f749beff...@gmail.com
Re: SSL for debian.org/security?
On 29/10/13 12:53, adrelanos wrote: Downloading apt-get updates over Tor hidden services would be awesome! - Even when an adversary found a way to exploit apt-get's OpenPGP verification, the exploit could not be used, because Tor hidden services implement its own encryption/authentication. - An adversary could not even know that someone is downloading apt-get updates. - We obscure more internet traffic, good for Tor (diversifying user base and use cases), adding more hay to the haystack. - It becomes more difficult to mount rollback/freeze attacks. We have the valid-until field, but Tor HS would be a nice as defense in depth. I can't see why not and start to really like the idea too! Let there be awesomeness :) I think that would be a very contemporary move of Debian. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/526fa3c0.2020...@gmail.com
Re: SSL for debian.org/security?
On 29-10-2013 09:56, Celejar wrote: The OP was asking for authentication, not encryption. Celejar Tor HS addresses are self authenticating (80 bits of entropy). It is possible (and very hard) to create an alias but it is much better than clear text over http. On 29-10-2013 09:53, adrelanos wrote: Downloading apt-get updates over Tor hidden services would be awesome! - Even when an adversary found a way to exploit apt-get's OpenPGP verification, the exploit could not be used, because Tor hidden services implement its own encryption/authentication. - An adversary could not even know that someone is downloading apt-get updates. If someone need speed, it is possible run apt-get update over Tor and apt-get upgrade over http or https (but the security will rely only on OpenPGP and SSL). -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/526faada.9060...@gmail.com
Re: SSL for debian.org/security?
On 2013.10.29. 13:32, Djones Boni wrote: On 29-10-2013 09:56, Celejar wrote: The OP was asking for authentication, not encryption. Celejar Tor HS addresses are self authenticating (80 bits of entropy). It is possible (and very hard) to create an alias but it is much better than clear text over http. On 29-10-2013 09:53, adrelanos wrote: Downloading apt-get updates over Tor hidden services would be awesome! - Even when an adversary found a way to exploit apt-get's OpenPGP verification, the exploit could not be used, because Tor hidden services implement its own encryption/authentication. - An adversary could not even know that someone is downloading apt-get updates. If someone need speed, it is possible run apt-get update over Tor and apt-get upgrade over http or https (but the security will rely only on OpenPGP and SSL). Hi, Can't the packages be verified via Tor after they are downloaded but before they get installed? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/526fad4e.1050...@gmail.com
Re: SSL for debian.org/security?
On Tue, 29 Oct 2013 10:32:26 -0200 Djones Boni 07ea86b...@gmail.com wrote: On 29-10-2013 09:56, Celejar wrote: The OP was asking for authentication, not encryption. Celejar Tor HS addresses are self authenticating (80 bits of entropy). Okay, but the message I was replying to mentioned only encryption: http://lists.debian.org/debian-security/2013/10/msg00033.html It is possible (and very hard) to create an alias but it is much better than clear text over http. The question is not whether it's better than clear text over HTTP, but whether it's better than SSL. Celejar -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131029084927.a4b6c2aaba1079f88b22f...@gmail.com
Re: SSL for debian.org/security?
On 29-10-2013 10:49, Celejar wrote: The question is not whether it's better than clear text over HTTP, but whether it's better than SSL. *If no CA is compromized*, I think SSL alone is more secure than Tor alone. But it is possible to use SSL with Tor. Then there are two layers of authentication/encryption. On 29-10-2013 10:42, Szabó Péter wrote: Can't the packages be verified via Tor after they are downloaded but before they get installed? As I know, Tor and SSL encrypt/auth traffic, not the data. The pre-installing verification is done via apt, verifying OpenPGP signs on deb packages.
Re: SSL for debian.org/security?
adrelanos wrote (29 Oct 2013 11:53:06 GMT) : Downloading apt-get updates over Tor hidden services would be awesome! I don't think there is anything preventing anyone from running a Debian mirror over a Tor HS. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/85k3gw1aj8@boum.org
Re: SSL for debian.org/security?
On Tue, 29 Oct 2013 11:03:55 -0200 Djones Boni 07ea86b...@gmail.com wrote: On 29-10-2013 10:49, Celejar wrote: The question is not whether it's better than clear text over HTTP, but whether it's better than SSL. *If no CA is compromized*, I think SSL alone is more secure than Tor alone. But it is possible to use SSL with Tor. Then there are two layers of authentication/encryption. Fair enough. Celejar -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131029092642.c83f26a36f0762ace374a...@gmail.com
Re: SSL for debian.org/security?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If I am not misunderstanding this. The object is to secure the site so it won't be hacked. Why is there this need to use TOR? If I am not wrong, This site is about resolving issues related to security of debian, Not doing some underground espionage type activities. I think using good judgement and the tools to secure the site is way more important than trying to hide from the NSA or some government. Please people get a grip. This is why Linux has a hard time being in the mainstream. Not because it's less secure or not like that other OS, but because you have people making the usage of it hard for a normal user to just get information and use the product. Some of you really need to stop watching the news and just enjoy the freedom that Linux brings. On 10/29/2013 04:44 AM, Jordon Bedwell wrote: On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com wrote: I would use Tor hidden service instead of SSL. Wait: What? Can't tell if serious. - -- Thanks, Jonathan Spearman This e-mail may contain confidential and/or privileged information. This information is intended only for the use of the individual(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden and possibly a violation of federal or state law and regulations. Jonathan Spearman claims all applicable privileges related to this information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJScG6BAAoJEKQxbSvZA5vgnMAIAKLS/4M3XmRch4ry5Ng54AsZ 5VLmTZ//kXaU6vNzb0EKrleoTnCNTARZHj6f/eeO6vWxQ6WflfZYsaKAjyWGdLky NY6EKteAbOsNSfPlv0XcQdY0GSTkutk8I/A1Bpof+EXWRGDpGiO+lfYOGy2zO3EO fyG+5U3b7MpYlbPWELrN7BqUhl9NbhK3yxkZLigVRbdRbD24+ezNFsJciz2rwfF9 N+2VPN2DJVZGVNIjkh0jS7yaMcumMcurEc1lWavh8qlzNxeVkY1Pp8o6c5qN8Iwl E1dHvdoHZbLTuYKA27/NxcnTDmYReKCyS9jgG/8dnWsPJ0H0oQkqNH8k1ejJbGc= =w9Eq -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52706e8c.6030...@jstc.info
Re: SSL for debian.org/security?
I fail to see what would make what hard, could you please explain? 2013/10/30 Jonathan Spearman j...@jstc.info -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If I am not misunderstanding this. The object is to secure the site so it won't be hacked. Why is there this need to use TOR? If I am not wrong, This site is about resolving issues related to security of debian, Not doing some underground espionage type activities. I think using good judgement and the tools to secure the site is way more important than trying to hide from the NSA or some government. Please people get a grip. This is why Linux has a hard time being in the mainstream. Not because it's less secure or not like that other OS, but because you have people making the usage of it hard for a normal user to just get information and use the product. Some of you really need to stop watching the news and just enjoy the freedom that Linux brings. On 10/29/2013 04:44 AM, Jordon Bedwell wrote: On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com wrote: I would use Tor hidden service instead of SSL. Wait: What? Can't tell if serious. - -- Thanks, Jonathan Spearman This e-mail may contain confidential and/or privileged information. This information is intended only for the use of the individual(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden and possibly a violation of federal or state law and regulations. Jonathan Spearman claims all applicable privileges related to this information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJScG6BAAoJEKQxbSvZA5vgnMAIAKLS/4M3XmRch4ry5Ng54AsZ 5VLmTZ//kXaU6vNzb0EKrleoTnCNTARZHj6f/eeO6vWxQ6WflfZYsaKAjyWGdLky NY6EKteAbOsNSfPlv0XcQdY0GSTkutk8I/A1Bpof+EXWRGDpGiO+lfYOGy2zO3EO fyG+5U3b7MpYlbPWELrN7BqUhl9NbhK3yxkZLigVRbdRbD24+ezNFsJciz2rwfF9 N+2VPN2DJVZGVNIjkh0jS7yaMcumMcurEc1lWavh8qlzNxeVkY1Pp8o6c5qN8Iwl E1dHvdoHZbLTuYKA27/NxcnTDmYReKCyS9jgG/8dnWsPJ0H0oQkqNH8k1ejJbGc= =w9Eq -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52706e8c.6030...@jstc.info -- GPG: http://is.gd/droope http://is.gd/signature_
Re: SSL for debian.org/security?
On Wed, Oct 30, 2013 at 12:11 AM, Pedro Worcel pe...@worcel.com wrote: I fail to see what would make what hard, could you please explain? Hard, maybe not, needed: no. There is no reason to try and hide the information, there never was and there never will be. If you were to implement SSL and then a Tor option fine, but to skip SSL and only offer Tor is annoying and uneeded. Tell me something, do you also build a mote around your house to prevent people from parking near your yard? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnztkzga78trrxhobopbrn_zur8w_hhfanzre0sbc8t...@mail.gmail.com
External check
CVE-2013-4443: RESERVED CVE-2013-5801: TODO: This issue was fixed in Oracle Java, but not in OpenJDK. Likely not-affected, but needs further check CVE-2013-5832: TODO: This issue was fixed in Oracle Java, but not in OpenJDK. Likely not-affected, but needs further check CVE-2013-5843: TODO: This issue was fixed in Oracle Java, but not in OpenJDK. Likely not-affected, but needs further check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/526f58e9.ayr9t2iefjzhqmjo%atomo64+st...@gmail.com