Re: More prominent link to verification hashes
On Mon, Mar 7, 2016 at 8:27 AM, Stephen John Smoogen wrote: > On 7 March 2016 at 01:32, Ralf Senderek wrote: >>> What would be proper other places to confirm the fingerprint? >> >> The following criteria might be reasonable: >> - a place that has authority, that people might trust. >> - a place that is hard to impersonate, that has some protection >>against unauthorized use >> - a place that is visible to many people with a need to verify. >> - a place that is known for publishing cross-checked, reliable >> information >> >> Hope that helps to find such places. > > Not really. Everything above is subjective. In the past, when I have > looked for sites that meet such criteria no one agrees that the place > meets such criteria. > > We put it in redhat.com and people who hate corporations or that Red > Hat sponsors this project assume that if Red Hat were paid enough > money they would change the data any time. > > We put it in archive.org and people wonder how we can tell it isn't > impersonated by some other site or that someone else isn't changing > it. > > We put it in lwn.net and people wonder how they will know where to > find it or why we didn't choose reddit/slashdot/etc/etc. > > We get google to host it and people wonder all of the above. Get them all to host it. That oughta bypass any tomfoolery. -- Chris Murphy -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Mon, 7 Mar 2016, Stephen John Smoogen wrote: Hope that helps to find such places. Not really. Everything above is subjective. In the past, when I have looked for sites that meet such criteria no one agrees that the place meets such criteria. We put it in redhat.com and people who hate corporations or that Red Hat sponsors this project assume that if Red Hat were paid enough money they would change the data any time. We put it in archive.org and people wonder how we can tell it isn't impersonated by some other site or that someone else isn't changing it. We put it in lwn.net and people wonder how they will know where to find it or why we didn't choose reddit/slashdot/etc/etc. We get google to host it and people wonder all of the above. Stephen, please bear in mind that it's not a measure to make everyone happy, publishing the fingerprint(s) is meant to prevent faking of the key. And this is much more than providing only self-signed keys without linking them to first-hand knowledge about their authenticity. You don't have to come up with a solution that suits everyone, as long as it is enough to make faking a really hard job for anyone. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On 7 March 2016 at 01:32, Ralf Senderek wrote: >> What would be proper other places to confirm the fingerprint? > > The following criteria might be reasonable: > - a place that has authority, that people might trust. > - a place that is hard to impersonate, that has some protection >against unauthorized use > - a place that is visible to many people with a need to verify. > - a place that is known for publishing cross-checked, reliable > information > > Hope that helps to find such places. Not really. Everything above is subjective. In the past, when I have looked for sites that meet such criteria no one agrees that the place meets such criteria. We put it in redhat.com and people who hate corporations or that Red Hat sponsors this project assume that if Red Hat were paid enough money they would change the data any time. We put it in archive.org and people wonder how we can tell it isn't impersonated by some other site or that someone else isn't changing it. We put it in lwn.net and people wonder how they will know where to find it or why we didn't choose reddit/slashdot/etc/etc. We get google to host it and people wonder all of the above. -- Stephen J Smoogen. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Thursday, February 25, 2016 09:29:26 PM Ralf Senderek wrote: > On Thu, 25 Feb 2016, Dennis Gilmore wrote: > > Which fingerprint? There is a number of keys > > > > Dennis > > The one you were referring to in your posting and which > an ordinary user would verify with: > > gpg --list-keys --fingerprint 81B46521 > > Ralf > > PS: if you had a long-term signing key it would be its fingerprint. We have no long term signing key, no way to cross sign the keys, I was referring to them all in general, not just one in particular. Dennis signature.asc Description: This is a digitally signed message part. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Somewhere like archive.org too maybe -- again totally separate inrastructure + it could be used as a un-official 'official' hash vault for checking. On 03/07/2016 08:27 AM, Matthew Miller wrote: > On Mon, Mar 07, 2016 at 08:32:05AM -, Ralf Senderek wrote: >>> What would > be proper other places to confirm the fingerprint? >> The following criteria might be reasonable: >> - a place that has authority, that people might trust. >> - a place that is hard to impersonate, that has some protection >>against unauthorized use >> - a place that is visible to many people with a need to verify. >> - a place that is known for publishing cross-checked, reliable information > > We could possibly add it somewhere on a Red Hat site, which I think > would fit all of these criteria in many people's eyes. Since it's > entirely separate infrastructure from Fedora's websites, that would > significantly raise the bar for any targetted website hacking. > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJW3YRJAAoJEHeOgyS7CC5mMTkP/A7LqGO4H6KH/EQ3i/j2LG9M rDFZ0l6tfgG3bVebKI/kxrF4nV3EIDS7n77Fo79dX24xhHIQlabhzgDz6p2slhqu 1gjG0DExIYLgyyGvfWHFj253vq1fkYZMKftftLPQZxD4krnYAUtwpGaPkEN0q/gM swumcurdgcjlKUwHc195mcSMbE+2tNDJJ49hU44uYpKWtESajWXZ+n3EOvDsj+lj 2W3gdHpqrPJZbgTPtU8FWgmYQNq3ExDWp6Iayz2S2emeSoimjLJYCtrpPSXLRJBw WC0TZFbZs8cZ0lJy+QJQmpm0n4M0SYRxB2rAN2R3tQ3Ro/KRC0QcEP1Yvwq0QUCK IXiSp0QI3PftKl2SEbSdTKJW8dN0lM+Hd8ZT6EyqGWVHvlKnnaKbHCVJXzi3Acqc UngJtGcmEMubbW02Zkpd1Odk008kUDl4AeD9wuCtwKls+fkrKjJPktIiAL7EJcLL cSf/yYxHjw4GnSfPFkGVHEBmSZm6O3gpRh7jjdzECcBb1WQtLZ8l7iV3EJu16FWu B4TPyV8PxAbzwehR2ZsZIXH5vB/VMLihh+gzt28cenOc/gvgC/eYsd5kmEuRsL52 jDRnGSP27my8PJ/kzcvn5ldi30NtGigpll0Ff8isl0kjg66oJaax5ouJlHQpTmjQ D4HmOiouIBG/F91Izwfi =6G93 -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Mon, Mar 07, 2016 at 08:32:05AM -, Ralf Senderek wrote: > > What would be proper other places to confirm the fingerprint? > The following criteria might be reasonable: > - a place that has authority, that people might trust. > - a place that is hard to impersonate, that has some protection >against unauthorized use > - a place that is visible to many people with a need to verify. > - a place that is known for publishing cross-checked, reliable > information We could possibly add it somewhere on a Red Hat site, which I think would fit all of these criteria in many people's eyes. Since it's entirely separate infrastructure from Fedora's websites, that would significantly raise the bar for any targetted website hacking. -- Matthew Miller Fedora Project Leader -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
> What would be proper other places to confirm the fingerprint? The following criteria might be reasonable: - a place that has authority, that people might trust. - a place that is hard to impersonate, that has some protection against unauthorized use - a place that is visible to many people with a need to verify. - a place that is known for publishing cross-checked, reliable information Hope that helps to find such places. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Thu, Feb 25, 2016 at 09:29:26PM +0100, Ralf Senderek wrote: > PS: if you had a long-term signing key it would be its fingerprint. How would an ordinary user use a long-term singing key? Kind regards Till -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Thu, Feb 25, 2016 at 08:05:59PM +0100, Ralf Senderek wrote: > Thank you for providing this valuable information about the handling > of the private key that enables Fedora ISO signing. This information > should be shared and highlighted as it is helping to create trust in > the use of this key. Where should this information be provided? > As a personal request, would you be so kind as to confirm the fingerprint > here (and maybe somewhere else), please. Thank you very much. What would be proper other places to confirm the fingerprint? Regards Till -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Thu, 25 Feb 2016, Dennis Gilmore wrote: Which fingerprint? There is a number of keys Dennis The one you were referring to in your posting and which an ordinary user would verify with: gpg --list-keys --fingerprint 81B46521 Ralf PS: if you had a long-term signing key it would be its fingerprint. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Thursday, February 25, 2016 08:05:59 PM Ralf Senderek wrote: > On Thu, 25 Feb 2016, Dennis Gilmore wrote: > > No one has access to the private key. It lives on a server that has no > > services running that listen for connections. There is a service that > > runs > > on > > it that talks to the signing bridge. That brokers all requests. Users > > with > > access do not know the password to unlock the key. The signing server > > manages > > access. There is exactly two copies of the private key, one embeded in > > encrypted storage on the signing server and a backup of the encrypted > > storage > > on the backup server. It has been designed to allow the granting and > > revocation of access without the need for having a copy of the private > > key. > > > > https://fedorahosted.org/sigul/ is the software we use > > > > Dennis > > Thank you for providing this valuable information about the handling > of the private key that enables Fedora ISO signing. This information > should be shared and highlighted as it is helping to create trust in > the use of this key. > As a personal request, would you be so kind as to confirm the fingerprint > here (and maybe somewhere else), please. Thank you very much. Which fingerprint? There is a number of keys Dennis signature.asc Description: This is a digitally signed message part. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Thu, 25 Feb 2016, Dennis Gilmore wrote: No one has access to the private key. It lives on a server that has no services running that listen for connections. There is a service that runs on it that talks to the signing bridge. That brokers all requests. Users with access do not know the password to unlock the key. The signing server manages access. There is exactly two copies of the private key, one embeded in encrypted storage on the signing server and a backup of the encrypted storage on the backup server. It has been designed to allow the granting and revocation of access without the need for having a copy of the private key. https://fedorahosted.org/sigul/ is the software we use Dennis Thank you for providing this valuable information about the handling of the private key that enables Fedora ISO signing. This information should be shared and highlighted as it is helping to create trust in the use of this key. As a personal request, would you be so kind as to confirm the fingerprint here (and maybe somewhere else), please. Thank you very much. Ralf -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Tuesday, February 23, 2016 10:18:49 PM Ralf Senderek wrote: > On Tue, 23 Feb 2016, Till Maas wrote: > > I used my access to the signing server to verify the key before signing > > it. But why is confirming the fingerprint here a step forward? Why would > > someone search in this mailing list for the fingerprint of the gpg key? > > > > FWIW, the signing server just gave me a public key with this fingerprint > > when I asked for the Fedora 24 signing key: > > pub 4096R/81B46521 2015-07-25 Fedora (24) > > > > > Key fingerprint = 5048 BDBB A5E7 76E5 47B0 9CCC 73BD E983 81B4 6521 > > This is the important part, you state that you have access to the server > that uses the private key for 4096R/81B46521. You may have first-hand > knowledge how the persons using this key protect this private key and you > have even knowledge of these person's trustworthiness and professionalism. > > That and only that constitutes the value of your signature as opposed to > mine if I had signed the key. No one has access to the private key. It lives on a server that has no services running that listen for connections. There is a service that runs on it that talks to the signing bridge. That brokers all requests. Users with access do not know the password to unlock the key. The signing server manages access. There is exactly two copies of the private key, one embeded in encrypted storage on the signing server and a backup of the encrypted storage on the backup server. It has been designed to allow the granting and revocation of access without the need for having a copy of the private key. https://fedorahosted.org/sigul/ is the software we use Dennis signature.asc Description: This is a digitally signed message part. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Tue, 23 Feb 2016, Till Maas wrote: I used my access to the signing server to verify the key before signing it. But why is confirming the fingerprint here a step forward? Why would someone search in this mailing list for the fingerprint of the gpg key? FWIW, the signing server just gave me a public key with this fingerprint when I asked for the Fedora 24 signing key: pub 4096R/81B46521 2015-07-25 Fedora (24) Key fingerprint = 5048 BDBB A5E7 76E5 47B0 9CCC 73BD E983 81B4 6521 This is the important part, you state that you have access to the server that uses the private key for 4096R/81B46521. You may have first-hand knowledge how the persons using this key protect this private key and you have even knowledge of these person's trustworthiness and professionalism. That and only that constitutes the value of your signature as opposed to mine if I had signed the key. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Tue, Feb 23, 2016 at 08:13:59PM +0100, Ralf Senderek wrote: > > On Tue, 23 Feb 2016, Till Maas wrote: > > > You can already get the keys at various places: > > > > - Fedora website > > - physical DVDs > > - fedora-repos git repository > > - fedora-repos RPM on kojipkgs > > - fedora-repos RPM Fedora mirrors > > - Fedora ISO images on Fedora mirrors > > - Eventually DNSSEC protected from DNS > > I was very clear in saying fingerprint not keys. The original key file from > the website contains only self-signed keys. The only way to know if these > are valid is to check the fingerprint. It is not the only way. You can also compare the keys from all these locations directly. Or calculate the fingerprint from the keys at all these locations and compare them. > > Also all recent Fedora keys were signed by me. So how many different > > places do we need to make it secure? I am also very interested in making > > this secure, but adding more random places to look does not help unless > > people a actually looking there. > > Printing the fingerprint in prominent places makes faking the key > nearly impossible, even if the ordinary user doesn't look there. If the user does not look at the places, then it does not help. But what are the exact places that you propose to post the fingerprint? > > And since you did not notice that I > > signed the GPG keys, I guess you did not look much as well. > > You didn't sign it in the download file from the verify page. You can get the signature from a keyserver. Just wondering, how would you check the signature if it was included in the key download file that it would be hard to download the signature instead with --refresh-keys in gpg - the latter also gives you all signatures that everyone added to the key. > Signing a key only helps if it is an assurance that the signer has checked > the fingerprint. I could have signed the keys as well, but I didn't > because I don't know anything about the fingerprint from first-hand. How will you decide whether someone checked the fingerprint? How should a unexperienced user decide whether to trust a certain key? > If you have a valid means of checking the fingerprint with the creator > of the key and publicly confirm the fingerprint on the mailing list, > this would be a step forward. I used my access to the signing server to verify the key before signing it. But why is confirming the fingerprint here a step forward? Why would someone search in this mailing list for the fingerprint of the gpg key? FWIW, the signing server just gave me a public key with this fingerprint when I asked for the Fedora 24 signing key: pub 4096R/81B46521 2015-07-25 Fedora (24) Key fingerprint = 5048 BDBB A5E7 76E5 47B0 9CCC 73BD E983 81B4 6521 > > Btw before suggesting what to provide, maybe think of the instructions > > for users that would explain how to verify the keys > > They are already asking the user on the verify page to run a gpg command, > displaying the fingerprint is as easy as that. This is not a specific instruction. Please provide an example of the specific instructions that you would like to add. signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On 23 February 2016 at 12:13, Ralf Senderek wrote: > > On Tue, 23 Feb 2016, Till Maas wrote: > >> You can already get the keys at various places: >> >> - Fedora website >> - physical DVDs >> - fedora-repos git repository >> - fedora-repos RPM on kojipkgs >> - fedora-repos RPM Fedora mirrors >> - Fedora ISO images on Fedora mirrors >> - Eventually DNSSEC protected from DNS > > > I was very clear in saying fingerprint not keys. The original key file from > the website contains only self-signed keys. The only way to know if these > are valid is to check the fingerprint. > > >> Also all recent Fedora keys were signed by me. So how many different >> places do we need to make it secure? I am also very interested in making >> this secure, but adding more random places to look does not help unless >> people a actually looking there. > > > Printing the fingerprint in prominent places makes faking the key > nearly impossible, even if the ordinary user doesn't look there. > "prominent places" is the part that needs work here. This isn't the 1990's when setting up a website was hard and mailing out a physical copy of the fingerprint was cheaper. I could set up a dozen websites all claiming to have the "fingerprint" for near zero cost. How is anyone going to know that is the valid one or not? >> And since you did not notice that I >> signed the GPG keys, I guess you did not look much as well. > > > You didn't sign it in the download file from the verify page. > Signing a key only helps if it is an assurance that the signer has checked > the fingerprint. I could have signed the keys as well, but I didn't > because I don't know anything about the fingerprint from first-hand. > > If you have a valid means of checking the fingerprint with the creator > of the key and publicly confirm the fingerprint on the mailing list, > this would be a step forward. > If you have a definition of what valid means are... then that might be possible. However I have spent way too many meetings and conversations trying to come up with "enough" assurance and finding that every way gets "we don't believe that is valid because this is the 30 ways it could have been circumvented." > >> Btw before suggesting what to provide, maybe think of the instructions >> for users that would explain how to verify the keys > > > They are already asking the user on the verify page to run a gpg command, > displaying the fingerprint is as easy as that. > > If you think you can improve things by signing keys, then take Gregory's > advice and create a long-term signing key and add it's signature to new > fedora release keys. AND print the fingerprint of this one key in > many prominent places. > > -- > devel mailing list > devel@lists.fedoraproject.org > http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org -- Stephen J Smoogen. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Tue, 23 Feb 2016, Till Maas wrote: You can already get the keys at various places: - Fedora website - physical DVDs - fedora-repos git repository - fedora-repos RPM on kojipkgs - fedora-repos RPM Fedora mirrors - Fedora ISO images on Fedora mirrors - Eventually DNSSEC protected from DNS I was very clear in saying fingerprint not keys. The original key file from the website contains only self-signed keys. The only way to know if these are valid is to check the fingerprint. Also all recent Fedora keys were signed by me. So how many different places do we need to make it secure? I am also very interested in making this secure, but adding more random places to look does not help unless people a actually looking there. Printing the fingerprint in prominent places makes faking the key nearly impossible, even if the ordinary user doesn't look there. And since you did not notice that I signed the GPG keys, I guess you did not look much as well. You didn't sign it in the download file from the verify page. Signing a key only helps if it is an assurance that the signer has checked the fingerprint. I could have signed the keys as well, but I didn't because I don't know anything about the fingerprint from first-hand. If you have a valid means of checking the fingerprint with the creator of the key and publicly confirm the fingerprint on the mailing list, this would be a step forward. Btw before suggesting what to provide, maybe think of the instructions for users that would explain how to verify the keys They are already asking the user on the verify page to run a gpg command, displaying the fingerprint is as easy as that. If you think you can improve things by signing keys, then take Gregory's advice and create a long-term signing key and add it's signature to new fedora release keys. AND print the fingerprint of this one key in many prominent places. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Mon, Feb 22, 2016 at 07:22:24PM -, Ralf Senderek wrote: > Yes, for people who look only in one place, the manipulated web server. > But that is the reason why the fingerprint has to pop up in different places > where it is hard to fake. Even if this one user can be tricked, others can > discover that the site is compromised if the fingerprint is independently > recorded > many times elsewhere. You can already get the keys at various places: - Fedora website - physical DVDs - fedora-repos git repository - fedora-repos RPM on kojipkgs - fedora-repos RPM Fedora mirrors - Fedora ISO images on Fedora mirrors - Eventually DNSSEC protected from DNS Also all recent Fedora keys were signed by me. So how many different places do we need to make it secure? I am also very interested in making this secure, but adding more random places to look does not help unless people a actually looking there. And since you did not notice that I signed the GPG keys, I guess you did not look much as well. Why would unexperienced users spend so much time into verification? IMHO Fedora is already doing a great job by providing HTTPS secured key downloads and signing all stable releases. Btw before suggesting what to provide, maybe think of the instructions for users that would explain how to verify the keys and downloads. Then we can also discuss whether or not this would really make sense for unexperienced users. Kind regards Till -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Tue, 23 Feb 2016 18:01:29 +0100 Till Maas wrote: > On Tue, Feb 23, 2016 at 06:23:13AM -0700, Kevin Fenzi wrote: > > On Mon, 22 Feb 2016 19:45:03 + > > Gregory Maxwell wrote: > > > > I don't think there is any utility in pointing people to a > > > keyserver here. > > > > I think it would allow them to check signatures against their web of > > trust. > > Since one needs to load the gpg key into the gpg keyring anyhow, one > can just use refresh the key from the keyserver to get the signatures > from other keys. Since one cannot trust the direct link to a > keyserver, linking to a keyserver actually weakens the security IMHO. To be clear, I wasn't suggesting a direct link to a specific keyserver, but more a statement like "Search for key blah with fingerprint foo and name bar on public gpg servers" That said, yeah, just refreshing locally to get signatures seems much more sane. kevin pgp0VrMn4yufl.pgp Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Mon, Feb 22, 2016 at 07:47:51PM +, Gregory Maxwell wrote: > They key itself should come with signatures. That it doesn't is weird > and inconvenient. If it came with a single signature by a long lived > key used for the purpose of authenticating keys, it would go a log > way. The gpg tool itself is very inconvenient, but getting the signatures for a key imported to the keyring is not, just run --refresh-keys. Kind regards Till -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Tue, Feb 23, 2016 at 06:23:13AM -0700, Kevin Fenzi wrote: > On Mon, 22 Feb 2016 19:45:03 + > Gregory Maxwell wrote: > > I don't think there is any utility in pointing people to a keyserver > > here. > > I think it would allow them to check signatures against their web of > trust. Since one needs to load the gpg key into the gpg keyring anyhow, one can just use refresh the key from the keyserver to get the signatures from other keys. Since one cannot trust the direct link to a keyserver, linking to a keyserver actually weakens the security IMHO. Kind regards Till -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Mon, 22 Feb 2016 19:45:03 + Gregory Maxwell wrote: > New users are stateless and little can be done there; at least not > right now when pre-textual security procedures' like Fedora's are > ubiquitous and thus can't be taken as a clear sign of compromise. Right. > Existing users are another matter; "Hey, wasn't the last fedora key > signed by the fedora-keys-key that I already have?? Something smells > fishy here". Doubly so if fedora included a fedora-downloader that > users use to get new images which automatically checked these things. Perhaps, but they might also just say "oh, download process has changed, oh well". Having an automated downloader that checks things would be nice, but then of course you need to ensure the security of the downloader and that it's not just been tampered with. > > Pointing people to the sks keyservers to download the key would be > > nice > > I don't think there is any utility in pointing people to a keyserver > here. I think it would allow them to check signatures against their web of trust. > It's useful if that even worked for the few who would do it-- so that > in untargeted replacement they could sound alarms. But I wasn't even > suggesting something so broad as WOT: I'm only suggesting that Fedora > should commit to signing every release key with a long lived, offline > stored, key-- or, alternatively, with prior releases release keys. So > that people who somehow managed to get a faithful fedora keyring at > some point aren't exposed to compromise over and over again in the > future. We don't have the ability to do this. Sigul doesn't support signatures. > > If the site is compromised how would any of that help? > > The compromised site could not sign their replacement keys-- they'd > have to just alter or drop the procedure that provides actual > security, and this disruption would catch the attention of some users. > (and better, if an automated mechanism is provided and gains wide > usage.) Perhaps. Thats the window the attackers would have I suppose. Open source projects have a advantage here in that they are transparent. If someone notices something that seems odd they can easily ask about it and raise the flag. > > This is already done somewhat... the fedora-repos package has all > > the keys in it from the time it was last updated. > > That's good. The last I had seen it didn't include key for future > releases. If they're there now the instructions could simply tell the > user to skip the key download if they're already on an updated fedora > install. Yep. kevin pgpTd23H6djrf.pgp Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Tue, 23 Feb 2016 04:12:41 + Zbigniew Jędrzejewski-Szmek wrote: > On Mon, Feb 22, 2016 at 07:47:51PM +, Gregory Maxwell wrote: > > On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi > > wrote: > > > My point was that you can get the signatures off the key from the > > > keyserver and see if any of them are someone you trust. If not, > > > are they connected to someone you trust (hey, look, web of > > > trust). I think expanding the web of trust on the signatories of > > > the keys would help more than just trying to distribute the key > > > fingerprint "lots of places". > > > > They key itself should come with signatures. That it doesn't is > > weird and inconvenient. If it came with a single signature by a > > long lived key used for the purpose of authenticating keys, it > > would go a log way. Well, as mentioned somewhere else in this thread, sigul (our signing server) doesn't deal with signatures at all. So, we would have to pull those signatures from keyservers or sign it internally with only some small amount of keys or something. > Some older Fedora signing keys were signed by prominent Fedora persons > (up to F12 or so). If one has been to at least one Fedora key signing > party and has a WOT connection to one of thos persons, using the WOT > is the best ways to verify the keys one downloads from the web. It > would be great if we could resurrect this practice and have one or > more RelEng members and the Fedora Project Leader sign the Fedora PGP > keys and upload their signatures to public keyservers. Sure, I don't have any objection to this... kevin pgpDg6NYNwALl.pgp Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On 02/22/2016 05:34 PM, Stephen John Smoogen wrote: On 22 February 2016 at 13:00, Ralf Senderek wrote: The Fedora team could get a profile and verify the key(s) through github, the Fedora and Red Hat web sites, the Fedora magazine twitter account, and by having the Fedora team all sign publicly. Every little helps. The important step would be if the Fedora devs state the fingerprints in a visible way that risks their good reputation if the information turned out to be incorrect. These statements would then be the foundation of trust in what the Fedora 24 key signs. OK and how many people check to see what another person's reputation is? And how many people have had gotten bad reputations from signing bad things? It all sounds great on paper, but without actual methods and regular checks.. it is as useless as a keysigning party where no one does a full check of the passport and driver's license with the issueing authority. [We all do the $200.00 background check on everyone we sign don't we?] I don't, but I think there's benefit in using keybase.io and having any Fedora contributors verify that, because: 1. Keybase is easy to check - pop open the web page and it's all there 2. Hosted outside Fedora infrastructure, so 2 points of compromise would have to happen Also, keep in mind that the checks on keybase aren't necessarily "you are Ryan Scott Brown, as identified by driver's license," but rather that I am the @ryan_sb on twitter, and ryansb on github, and owner of rsb.io. For most "people on the internet" the second set of parameters is what people actually know me as, so that's more useful for the looser verification of "someone I think would notice if Fedora switched their GPG key" Also, tying the GPG key to the various Fedora project social accounts would help since, again, that's another point of compromise that would need to happen to switch up our .iso's. Literally nothing we can ever do will be bulletproof[1], but doing anything better than putting the GPG keys on the same site as the ISOs isn't futile. 1: https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf Combined with having the key on getfedora.org, it at least provides a measure of protection against our site being compromised. It also has the benefit of, if someone knows of any Fedora devs on Twitter or another service, they can follow the web of social-service trust. This isn't as good as if they had a direct path to the Fedora WoT through normal signatures, but it's much more likely to actually occur. Yes all of this, please. -- Ryan Brown / Senior Software Engineer, OpenStack / Red Hat, Inc. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
Am Mon, 22 Feb 2016 09:29:37 -0700 schrieb Kevin Fenzi : > On Sun, 21 Feb 2016 23:21:58 +0100 > Jens Lody wrote: > > > This can also be done before clicking the link-button, or the > > download splash is also shown without javascript. This should not > > be too hard to implement. > > https://fedorahosted.org/fedora-websites awaits your ticket. > > Bonus points for proposed patch also. ;) > > kevin I just filed a ticket with a possible (quick) patch: https://fedorahosted.org/fedora-websites/ticket/377 Jens pgp4Yd0WhG6VM.pgp Description: Digitale Signatur von OpenPGP -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Mon, Feb 22, 2016 at 07:47:51PM +, Gregory Maxwell wrote: > On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi wrote: > > My point was that you can get the signatures off the key from the > > keyserver and see if any of them are someone you trust. If not, are > > they connected to someone you trust (hey, look, web of trust). I think > > expanding the web of trust on the signatories of the keys would help > > more than just trying to distribute the key fingerprint "lots of > > places". > > They key itself should come with signatures. That it doesn't is weird > and inconvenient. If it came with a single signature by a long lived > key used for the purpose of authenticating keys, it would go a log > way. Some older Fedora signing keys were signed by prominent Fedora persons (up to F12 or so). If one has been to at least one Fedora key signing party and has a WOT connection to one of thos persons, using the WOT is the best ways to verify the keys one downloads from the web. It would be great if we could resurrect this practice and have one or more RelEng members and the Fedora Project Leader sign the Fedora PGP keys and upload their signatures to public keyservers. Signature chaining (F24 key signed by F23, etc..) would also be helpful. Zbyszek -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
For what it is worth, not signing the key is bug 1043276: https://bugzilla.redhat.com/show_bug.cgi?id=1043276 > Date: Mon, 22 Feb 2016 19:47:51 + > From: Gregory Maxwell > Subject: Re: More prominent link to verification hashes > To: Development discussions related to Fedora > > Message-ID: > > Content-Type: text/plain; charset=UTF-8 > > On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi wrote: >> My point was that you can get the signatures off the key from the >> keyserver and see if any of them are someone you trust. If not, are >> they connected to someone you trust (hey, look, web of trust). I think >> expanding the web of trust on the signatories of the keys would help >> more than just trying to distribute the key fingerprint "lots of >> places". > > They key itself should come with signatures. That it doesn't is weird > and inconvenient. If it came with a single signature by a long lived > key used for the purpose of authenticating keys, it would go a log > way. > signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On 22 February 2016 at 13:00, Ralf Senderek wrote: > >> The Fedora team could get a profile and verify the key(s) through >> github, the Fedora and Red Hat web sites, the Fedora magazine twitter >> account, and by having the Fedora team all sign publicly. > > Every little helps. The important step would be if the Fedora devs state the > fingerprints in a visible way that risks their good reputation if the > information > turned out to be incorrect. These statements would then be the foundation of > trust in what the Fedora 24 key signs. > OK and how many people check to see what another person's reputation is? And how many people have had gotten bad reputations from signing bad things? It all sounds great on paper, but without actual methods and regular checks.. it is as useless as a keysigning party where no one does a full check of the passport and driver's license with the issueing authority. [We all do the $200.00 background check on everyone we sign don't we?] >> Combined with having the key on getfedora.org, it at least provides a >> measure of protection against our site being compromised. It also has >> the benefit of, if someone knows of any Fedora devs on Twitter or >> another service, they can follow the web of social-service trust. This >> isn't as good as if they had a direct path to the Fedora WoT through >> normal signatures, but it's much more likely to actually occur. > > Yes all of this, please. > -- > devel mailing list > devel@lists.fedoraproject.org > http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org -- Stephen J Smoogen. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
> The Fedora team could get a profile and verify the key(s) through > github, the Fedora and Red Hat web sites, the Fedora magazine twitter > account, and by having the Fedora team all sign publicly. Every little helps. The important step would be if the Fedora devs state the fingerprints in a visible way that risks their good reputation if the information turned out to be incorrect. These statements would then be the foundation of trust in what the Fedora 24 key signs. > Combined with having the key on getfedora.org, it at least provides a > measure of protection against our site being compromised. It also has > the benefit of, if someone knows of any Fedora devs on Twitter or > another service, they can follow the web of social-service trust. This > isn't as good as if they had a direct path to the Fedora WoT through > normal signatures, but it's much more likely to actually occur. Yes all of this, please. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi wrote: > My point was that you can get the signatures off the key from the > keyserver and see if any of them are someone you trust. If not, are > they connected to someone you trust (hey, look, web of trust). I think > expanding the web of trust on the signatories of the keys would help > more than just trying to distribute the key fingerprint "lots of > places". They key itself should come with signatures. That it doesn't is weird and inconvenient. If it came with a single signature by a long lived key used for the purpose of authenticating keys, it would go a log way. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Mon, Feb 22, 2016 at 6:35 PM, Kevin Fenzi wrote: > Well, I agree the instructions could do better, but how would that help > if the site was compromised? The attackers would write their own > instructions. > > In addition to the verify link, the https://getfedora.org/en/keys/faq/ > needs a good going over. New users are stateless and little can be done there; at least not right now when pre-textual security procedures' like Fedora's are ubiquitous and thus can't be taken as a clear sign of compromise. Existing users are another matter; "Hey, wasn't the last fedora key signed by the fedora-keys-key that I already have?? Something smells fishy here". Doubly so if fedora included a fedora-downloader that users use to get new images which automatically checked these things. > Pointing people to the sks keyservers to download the key would be nice I don't think there is any utility in pointing people to a keyserver here. > and asking them to check the signatures for a web of trust link would > be great, but I am not sure how many people would care to do that or > have any links there. It's useful if that even worked for the few who would do it-- so that in untargeted replacement they could sound alarms. But I wasn't even suggesting something so broad as WOT: I'm only suggesting that Fedora should commit to signing every release key with a long lived, offline stored, key-- or, alternatively, with prior releases release keys. So that people who somehow managed to get a faithful fedora keyring at some point aren't exposed to compromise over and over again in the future. > If the site is compromised how would any of that help? The compromised site could not sign their replacement keys-- they'd have to just alter or drop the procedure that provides actual security, and this disruption would catch the attention of some users. (and better, if an automated mechanism is provided and gains wide usage.) > This is already done somewhat... the fedora-repos package has all the > keys in it from the time it was last updated. That's good. The last I had seen it didn't include key for future releases. If they're there now the instructions could simply tell the user to skip the key download if they're already on an updated fedora install. The limitation there is that this need to have virtually no false positives, and so the lack of updates to that package as versions go EOL would still be problematic. "Oh, it didn't work. I guess I'll blindly pull the keys from the site" would undo the security. > So, if you have a fedora > install you can check the key in fedora-repos. However, that still > doesn't get around the fact that the anchor of trust here is the ca > certificate system, or I suppose, best case it would be a web of trust > link back to the gpg key, but the web of trust is not that expansive > and random users who don't care about gpg likely wouldn't have any > links into the Fedora web of trust. "Trust anchor" is too narrow a concept-- If the user has to only successfully get the real keys once and then will be protected after if they're successful, that is win in and of itself. It also means that more effort can be rationally expended on those few times initialization (e.g. trying the WOT method, checking multiple sources, etc.). -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Mon, 22 Feb 2016 19:22:24 - "Ralf Senderek" wrote: > > If the site is compromised, most bets are off sadly. > > Yes, for people who look only in one place, the manipulated web > server. But that is the reason why the fingerprint has to pop up in > different places where it is hard to fake. Even if this one user can > be tricked, others can discover that the site is compromised if the > fingerprint is independently recorded many times elsewhere. But how would anyone even know to look there? Or if someone told you: "you should check for this key fingerprint on 10 sites before you trust it", an intruder could just spin up 10 random sites that mention their compromised key. I see what you are getting at, but it would only help people heavily involved in the project any. > BTW, pointing to a key server is not the way to convince anyone. A > key server is a convenient way to get keys, not a tool to assure > their authenticity. So I don't think that there is much of an > alternative other than someone stepping in and provide some > first-hand knowledge about the key. -- My point was that you can get the signatures off the key from the keyserver and see if any of them are someone you trust. If not, are they connected to someone you trust (hey, look, web of trust). I think expanding the web of trust on the signatories of the keys would help more than just trying to distribute the key fingerprint "lots of places". kevin pgplXMUYBTWV9.pgp Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On 02/22/2016 02:22 PM, Ralf Senderek wrote: If the site is compromised, most bets are off sadly. Yes, for people who look only in one place, the manipulated web server. But that is the reason why the fingerprint has to pop up in different places where it is hard to fake. Even if this one user can be tricked, others can discover that the site is compromised if the fingerprint is independently recorded many times elsewhere. BTW, pointing to a key server is not the way to convince anyone. A key server is a convenient way to get keys, not a tool to assure their authenticity. So I don't think that there is much of an alternative other than someone stepping in and provide some first-hand knowledge about the key. Could an external service such as keybase.io be helpful here? It's not a FOSS service, but it's been doing good work on making GPG more accessible by tying into many services and putting them all in a sort of verification dashboard. If keybase is new to you, here's my profile https://keybase.io/ryansb The Fedora team could get a profile and verify the key(s) through github, the Fedora and Red Hat web sites, the Fedora magazine twitter account, and by having the Fedora team all sign publicly. Combined with having the key on getfedora.org, it at least provides a measure of protection against our site being compromised. It also has the benefit of, if someone knows of any Fedora devs on Twitter or another service, they can follow the web of social-service trust. This isn't as good as if they had a direct path to the Fedora WoT through normal signatures, but it's much more likely to actually occur. -- Ryan Brown / Senior Software Engineer, OpenStack / Red Hat, Inc. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
> If the site is compromised, most bets are off sadly. Yes, for people who look only in one place, the manipulated web server. But that is the reason why the fingerprint has to pop up in different places where it is hard to fake. Even if this one user can be tricked, others can discover that the site is compromised if the fingerprint is independently recorded many times elsewhere. BTW, pointing to a key server is not the way to convince anyone. A key server is a convenient way to get keys, not a tool to assure their authenticity. So I don't think that there is much of an alternative other than someone stepping in and provide some first-hand knowledge about the key. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Sun, Feb 21, 2016 at 11:31:05AM -0700, Chris Murphy wrote: > On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik > wrote: > > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO > > download images. > > > > Since Fedora looks to be moving to Live USB Creator (maybe Fedora > Media Writer, TBD) as the primary download for Fedora 24, I wonder if > the new tool automatically verifies the GPG signed hash file, and > compares that hash with a computed one from the downloaded file? If we had virt-builder metadata, virt-builder will check the SHA256 [by default] hash of the downloaded cloud image. The hash is contained in the GPG signed metadata. To do this, virt-builder ships with (or would ship with, if we had virt-builder metadata) the Fedora GPG pubkey. Currently SUSE are doing exactly this for their cloud images. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Mon, 22 Feb 2016 18:21:04 - "Ralf Senderek" wrote: > While signing new keys with old release keys would certainly help to > make the attacker's job harder, it doesn't solve the trust problem. I don't think it even makes their job harder. > The one thing people would have to check is the fingerprint. That in > itself would be sufficient even if the new key is not being signed by > another one. The current download gives a fingerprint for the new > Fedora 24 key: > > Key fingerprint = 5048 BDBB A5E7 76E5 47B0 9CCC 73BD E983 81B4 6521 > > and this could as well be manipulated by the attacker who has access > to the web server. Given that this fingerprint is actually correct, > it would help if it was printed off-line in any publication > authorized by Fedora. The use and distribution of the fingerprint to > various places showing consistently the same information would make > it near impossible to fake the key. If that had been done beforehand, > all a new, ordinary user would have to do is to check this one > fingerprint. They would know that they should do this how? It is available on sks keyservers like keys.fedoraproject.org > So please can someone convince me that the key above is really the > right one? If so, using this fingerprint anywhere would help to build > the trust that is not there yet. In the end you are either trusting the https network or the gpg web of trust. > Using HTTPS does not at all verify that the information you get is > correct, it assures you of the correct origin, if https actually > works as advertised, which in many cases it doesn't, But Red Had > could publish the Fedora fingerprint as well on their servers. -- Sure, but who would know to look there? If the site is compromised, most bets are off sadly. kevin pgpMJjcnDPaiV.pgp Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Mon, 22 Feb 2016 16:48:29 + Gregory Maxwell wrote: > On Sun, Feb 21, 2016 at 2:32 PM, Sam Varshavchik > wrote: > > One has to jump into the installation guide, in order to find a > > buried link to https://getfedora.org/verify > > The instructions here have you download a set of PGP keys from the > same https webserver which could have been compromised to give you bad > download instructions. > > The Fedora 24 key inside it is not signed by any other key. (And even > if it were, no instruction is given to verify the key authenticity; > nor to seek out signatures on the key elsewhere (there is one on the > MIT key servers, but it does no good to users following these > instructions)). > > This is security theater Well, I agree the instructions could do better, but how would that help if the site was compromised? The attackers would write their own instructions. In addition to the verify link, the https://getfedora.org/en/keys/faq/ needs a good going over. Pointing people to the sks keyservers to download the key would be nice and asking them to check the signatures for a web of trust link would be great, but I am not sure how many people would care to do that or have any links there. > I've previously complained that Fedora PGP keys are unsigned, > otherwise unauthenticated, and shipped in the same location as the > potentially compromised binaries; and that the verification does > nothing to improve security against compromise of the main download > site, or MITM near enough to it on the network to get a https cert... > to no effect before. If the site is compromised how would any of that help? > Authenticating keys is hard in general; but existing fedora users > should at least be able to trust-on-first-use chain from earlier keys > to later ones-- assuming the fedora keys are kept offline and not > compromised-- and the instructions should have them verify > accordingly. But this would require the keys being shipped are signed > with prior releases key (or some static key signing key), and existing > users being told to check for that. It would also be preferable if the > keys were distributed on a separate server on a different network, so > that https would protect users that didn't/couldn't verify the > authenticity of the downloaded keys. This is already done somewhat... the fedora-repos package has all the keys in it from the time it was last updated. So, if you have a fedora install you can check the key in fedora-repos. However, that still doesn't get around the fact that the anchor of trust here is the ca certificate system, or I suppose, best case it would be a web of trust link back to the gpg key, but the web of trust is not that expansive and random users who don't care about gpg likely wouldn't have any links into the Fedora web of trust. kevin pgpQdT6DRlmzY.pgp Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
> On Sun, Feb 21, Gregory Maxwell wrote: > The Fedora 24 key inside it is not signed by any other key. ... > Authenticating keys is hard in general; but existing fedora users > should at least be able to trust-on-first-use chain from earlier keys > to later ones-- assuming the fedora keys are kept offline and not > compromised-- and the instructions should have them verify > accordingly. But this would require the keys being shipped are signed > with prior releases key (or some static key signing key), and existing > users being told to check for that. While signing new keys with old release keys would certainly help to make the attacker's job harder, it doesn't solve the trust problem. The one thing people would have to check is the fingerprint. That in itself would be sufficient even if the new key is not being signed by another one. The current download gives a fingerprint for the new Fedora 24 key: Key fingerprint = 5048 BDBB A5E7 76E5 47B0 9CCC 73BD E983 81B4 6521 and this could as well be manipulated by the attacker who has access to the web server. Given that this fingerprint is actually correct, it would help if it was printed off-line in any publication authorized by Fedora. The use and distribution of the fingerprint to various places showing consistently the same information would make it near impossible to fake the key. If that had been done beforehand, all a new, ordinary user would have to do is to check this one fingerprint. So please can someone convince me that the key above is really the right one? If so, using this fingerprint anywhere would help to build the trust that is not there yet. > It would also be preferable if the > keys were distributed on a separate server on a different network, so > that https would protect users that didn't/couldn't verify the > authenticity of the downloaded keys. Using HTTPS does not at all verify that the information you get is correct, it assures you of the correct origin, if https actually works as advertised, which in many cases it doesn't, But Red Had could publish the Fedora fingerprint as well on their servers. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Sun, Feb 21, 2016 at 2:32 PM, Sam Varshavchik wrote: > One has to jump into the installation guide, in order to find a buried link > to https://getfedora.org/verify The instructions here have you download a set of PGP keys from the same https webserver which could have been compromised to give you bad download instructions. The Fedora 24 key inside it is not signed by any other key. (And even if it were, no instruction is given to verify the key authenticity; nor to seek out signatures on the key elsewhere (there is one on the MIT key servers, but it does no good to users following these instructions)). This is security theater. I've previously complained that Fedora PGP keys are unsigned, otherwise unauthenticated, and shipped in the same location as the potentially compromised binaries; and that the verification does nothing to improve security against compromise of the main download site, or MITM near enough to it on the network to get a https cert... to no effect before. Authenticating keys is hard in general; but existing fedora users should at least be able to trust-on-first-use chain from earlier keys to later ones-- assuming the fedora keys are kept offline and not compromised-- and the instructions should have them verify accordingly. But this would require the keys being shipped are signed with prior releases key (or some static key signing key), and existing users being told to check for that. It would also be preferable if the keys were distributed on a separate server on a different network, so that https would protect users that didn't/couldn't verify the authenticity of the downloaded keys. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Sun, 21 Feb 2016 23:21:58 +0100 Jens Lody wrote: > This can also be done before clicking the link-button, or the download > splash is also shown without javascript. This should not be too hard > to implement. https://fedorahosted.org/fedora-websites awaits your ticket. Bonus points for proposed patch also. ;) kevin pgp2H0cGaCoS7.pgp Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
Adam Williamson writes: On Sun, 2016-02-21 at 23:08 +0100, Jens Lody wrote: > Am Sun, 21 Feb 2016 21:35:32 + > schrieb Tom Hughes : > > > > > On 21/02/16 21:31, Jens Lody wrote: > > > > > > > > I don't see any hint about verification, if I go to the > > > download-site from germany: > > > > > > https://getfedora.org/de_CH/workstation/download/ > > > > > > There's just a button, that directly downloads the iso. > > You must have javascript disabled for getfedora.org then - if it was > > enabled you would get the screen Kevin mentioned. > > > > Tom > > > I also thought that this can be the cause, so I explicitely enabled it > before I checked the site. > > But even if a user does not enable javascript, the site should at least > show a hint about verification. This is all fairly besides the point, however, if we're talking about the scenario that affected Mint. The attacker in that case was able to modify the download pages themselves. It doesn't matter if the pristine pages feature a giant pink unicorn holding a banner that says "VERIFY YOUR DOWNLOAD!" in flashing 144pt Comic Sans - if the attacker can modify the download pages, they just remove all the stuff about verifying the download. Or, better, change the checksums so they match... Yeah, not much can be done about total 0wnage. But, that shouldn't be a reason to avoid doing something fairly simple that would mitigate partial 0wnage. Making sure that instructions for verifying the hashes of downloaded ISO images are easily and readily visible would be a bare minimum, I'd think. I'm sure that the ISOs are not stored on the web servers themselves. pgp7WnZ5jzfeU.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Sun, 2016-02-21 at 23:08 +0100, Jens Lody wrote: > Am Sun, 21 Feb 2016 21:35:32 + > schrieb Tom Hughes : > > > > > On 21/02/16 21:31, Jens Lody wrote: > > > > > > > > I don't see any hint about verification, if I go to the > > > download-site from germany: > > > > > > https://getfedora.org/de_CH/workstation/download/ > > > > > > There's just a button, that directly downloads the iso. > > You must have javascript disabled for getfedora.org then - if it was > > enabled you would get the screen Kevin mentioned. > > > > Tom > > > I also thought that this can be the cause, so I explicitely enabled it > before I checked the site. > > But even if a user does not enable javascript, the site should at least > show a hint about verification. This is all fairly besides the point, however, if we're talking about the scenario that affected Mint. The attacker in that case was able to modify the download pages themselves. It doesn't matter if the pristine pages feature a giant pink unicorn holding a banner that says "VERIFY YOUR DOWNLOAD!" in flashing 144pt Comic Sans - if the attacker can modify the download pages, they just remove all the stuff about verifying the download. Or, better, change the checksums so they match... -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
Am Sun, 21 Feb 2016 23:08:23 +0100 schrieb Jens Lody : > Am Sun, 21 Feb 2016 21:35:32 + > schrieb Tom Hughes : > > > On 21/02/16 21:31, Jens Lody wrote: > > > > > I don't see any hint about verification, if I go to the > > > download-site from germany: > > > > > > https://getfedora.org/de_CH/workstation/download/ > > > > > > There's just a button, that directly downloads the iso. > > > > You must have javascript disabled for getfedora.org then - if it > > was enabled you would get the screen Kevin mentioned. > > > > Tom > > > > I also thought that this can be the cause, so I explicitely enabled it > before I checked the site. Oops, you are right. I did not click on the link/button, after turning on javascript, just without it. I thought it is just a link to the iso as shown in the statusline. Nevertheless: > > But even if a user does not enable javascript, the site should at > least show a hint about verification. This can also be done before clicking the link-button, or the download splash is also shown without javascript. This should not be too hard to implement. Jens pgpe85Guzh4j0.pgp Description: Digitale Signatur von OpenPGP -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
Am Sun, 21 Feb 2016 21:35:32 + schrieb Tom Hughes : > On 21/02/16 21:31, Jens Lody wrote: > > > I don't see any hint about verification, if I go to the > > download-site from germany: > > > > https://getfedora.org/de_CH/workstation/download/ > > > > There's just a button, that directly downloads the iso. > > You must have javascript disabled for getfedora.org then - if it was > enabled you would get the screen Kevin mentioned. > > Tom > I also thought that this can be the cause, so I explicitely enabled it before I checked the site. But even if a user does not enable javascript, the site should at least show a hint about verification. Jens pgpp0h299PoLF.pgp Description: Digitale Signatur von OpenPGP -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
Am Sun, 21 Feb 2016 10:36:37 -0700 schrieb Kevin Fenzi : > On Sun, 21 Feb 2016 09:32:46 -0500 > Sam Varshavchik wrote: > > > So, I see that someone hacked Linux Mint, and slipped in some > > trojaned ISO download images. > > > > As a curiousity, I went to https://getfedora.org, to see how easy it > > is to find instructions for verifying the downloaded images. > > > > I couldn't find it. There were many helpful download links, all over > > the place, but mum was the word on any kind of a verifications. > > > > One has to jump into the installation guide, in order to find a > > buried link to https://getfedora.org/verify > > > > This link is hidden very well. It shouldn't be. The fact is that > > with Live images being the primary avenue for installing Fedora, > > the need for an installation guide is greatly diminished. > > > > Every link to download a Live image should have a link to > > https://getfedora.org/verify right next to it, so you can't miss it. > > This should be a policy. > > It does. You just didn't look in the right place. ;) > > When you click on a download link, the site directs you to a page > showing the download link and that it should have started downloading > in your browser and then at the very top is a section talking about > verification. > > https://getfedora.org/en/workstation/download/ws-download-splash?file=https://download.fedoraproject.org/pub/fedora/linux/releases/23/Workstation/x86_64/iso/Fedora-Live-Workstation-x86_64-23-10.iso > > "Verify your Download! > > Once you have downloaded an image, verify it for security and > integrity. To verify your image, start by downloading the proper > CHECKSUM file into the same directory as the image you downloaded and > follow these instructions." > > (and then a big button to dowload the signed checksum file) > > If you have ideas or thoughts around making things better, please do > file a ticket with the websites folks and discuss it with them. > https://fedorahosted.org/fedora-websites/ > > kevin I don't see any hint about verification, if I go to the download-site from germany: https://getfedora.org/de_CH/workstation/download/ There's just a button, that directly downloads the iso. Jens pgpOKXZxJuaku.pgp Description: Digitale Signatur von OpenPGP -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On 21/02/16 21:31, Jens Lody wrote: I don't see any hint about verification, if I go to the download-site from germany: https://getfedora.org/de_CH/workstation/download/ There's just a button, that directly downloads the iso. You must have javascript disabled for getfedora.org then - if it was enabled you would get the screen Kevin mentioned. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Sun, Feb 21, 2016 at 01:43:54PM -0500, Matthew Miller wrote: > On Sun, Feb 21, 2016 at 11:31:05AM -0700, Chris Murphy wrote: > > On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik > > wrote: > > > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO > > > download images. > > Since Fedora looks to be moving to Live USB Creator (maybe Fedora > > Media Writer, TBD) as the primary download for Fedora 24, I wonder if > > the new tool automatically verifies the GPG signed hash file, and > > compares that hash with a computed one from the downloaded file? > > AFAIK, it compares the computed hash with the one from the hash file, > but I don't think it does GPG verification. There's some level of > "turtles all the way down" going on here, though, because how do you > know that LiveUSB creator is itself uncompromised, checking against the > right GPG key, and reporting the results accurately? Wasn't there a lot of discussion recently about how to sign LUC? Zbyszek -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Sun, Feb 21, 2016 at 11:31:05AM -0700, Chris Murphy wrote: > On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik > wrote: > > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO > > download images. > Since Fedora looks to be moving to Live USB Creator (maybe Fedora > Media Writer, TBD) as the primary download for Fedora 24, I wonder if > the new tool automatically verifies the GPG signed hash file, and > compares that hash with a computed one from the downloaded file? AFAIK, it compares the computed hash with the one from the hash file, but I don't think it does GPG verification. There's some level of "turtles all the way down" going on here, though, because how do you know that LiveUSB creator is itself uncompromised, checking against the right GPG key, and reporting the results accurately? -- Matthew Miller Fedora Project Leader -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik wrote: > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO > download images. > Since Fedora looks to be moving to Live USB Creator (maybe Fedora Media Writer, TBD) as the primary download for Fedora 24, I wonder if the new tool automatically verifies the GPG signed hash file, and compares that hash with a computed one from the downloaded file? -- Chris Murphy -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: More prominent link to verification hashes
On Sun, 21 Feb 2016 09:32:46 -0500 Sam Varshavchik wrote: > So, I see that someone hacked Linux Mint, and slipped in some > trojaned ISO download images. > > As a curiousity, I went to https://getfedora.org, to see how easy it > is to find instructions for verifying the downloaded images. > > I couldn't find it. There were many helpful download links, all over > the place, but mum was the word on any kind of a verifications. > > One has to jump into the installation guide, in order to find a > buried link to https://getfedora.org/verify > > This link is hidden very well. It shouldn't be. The fact is that with > Live images being the primary avenue for installing Fedora, the need > for an installation guide is greatly diminished. > > Every link to download a Live image should have a link to > https://getfedora.org/verify right next to it, so you can't miss it. > This should be a policy. It does. You just didn't look in the right place. ;) When you click on a download link, the site directs you to a page showing the download link and that it should have started downloading in your browser and then at the very top is a section talking about verification. https://getfedora.org/en/workstation/download/ws-download-splash?file=https://download.fedoraproject.org/pub/fedora/linux/releases/23/Workstation/x86_64/iso/Fedora-Live-Workstation-x86_64-23-10.iso "Verify your Download! Once you have downloaded an image, verify it for security and integrity. To verify your image, start by downloading the proper CHECKSUM file into the same directory as the image you downloaded and follow these instructions." (and then a big button to dowload the signed checksum file) If you have ideas or thoughts around making things better, please do file a ticket with the websites folks and discuss it with them. https://fedorahosted.org/fedora-websites/ kevin pgpKG4bNQN1aq.pgp Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org