[Bug 1186793] Re: Updating is over insecure connection

[Andy Brody]

** Changed in: ubuntu
   Status: Expired => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Marco Voelz]

Any thoughts on 
https://blog.packagecloud.io/eng/2018/02/21/attacks-against-secure-apt-repositories/
 ?
Seems like there are a few good reasons to using TLS, wdyt?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Robie Basak]

> How do gpg signatures and SHA512 sums help with other people in the
open WLAN or between I and the mirror being able to see what exactly I
download or update?

HTTPS wouldn't protect you either. The sizes and dependency trees of
individual packages are well-known. If I could see your HTTPS apt
download traffic, I'd also be able to infer exactly what you downloaded
or updated.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Launchpad Bug Tracker]

[Expired for Ubuntu because there has been no activity for 60 days.]

** Changed in: ubuntu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Mikaela Suomalainen]

How do gpg signatures and SHA512 sums help with other people in the open
WLAN or between I and the mirror being able to see what exactly I
download or update?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Dimitri John Ledkov]

We do not provide a default way to receive updates in a private manner.
However, one can arrange private methods of doing so. Create an ubuntu
mirror via an out-of-bound connection and point your machines there,
thus not exposing update traffic to a monitored connection.

After establishing an out-of-bound mirror, you may even wish to publish
it over SSL. Which is totally valid, and supported by all Ubuntu
installations that have apt-transport-https package installed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Dimitri John Ledkov]

= Updates =

Ubuntu downloads updates over http by default, however that is not
insecure. This is because all those updates are validated with GPG
against the keys that are already on the system in the ubuntu-keyring
package.

The signatures on our updates are strong, bashed on SHA512 checksums at
the moment.

It is signed at the moment by two keys, as we are still in a transition period 
- 1024 dsa key and 4096 rsa key.
See for yourself at:
http://archive.ubuntu.com/ubuntu/dists/xenial/InRelease

And that key is part of the strong set of trusted GPG keys. E.g. I am
lucky enough to have a trust path to those keys via James Troup and
Steve Langasek. But I find that much stronger than to arbitrary trust
all SSL certs for example.

Switching to SSL is a knee-jerk reaction, which is not really
appropriate for a mirrored update server. First of all, we must support
for people to create a private mirror of Ubuntu on internal networks to
update their internal infrastructure. And on the other hand we may not
trust all SSL certificates from all the authorities either (because then
a rogue CA will be able to misrepresent an update server). This means
that if we were to rely on SSL, we would have to use certificate pinning
to only ever trust a single certificate, thus making the overall
security solution less reliable than the current secure GnuPG protected
updates.

Also note, the security track record of GnuPG signing and validation, is
far better to date than SSL/TLS across multiple implementations of both
server and client sides.

= Initial installation =
Granted the initial ubuntu-keyring package is installed on the system from 
somewhere. It typically comes from an .iso image which the person downloads and 
installs. To be prudent, one should verify the SHA checksums of the .iso 
images, and the gpg signatures of those checksums, thus validating that the 
image has in fact originated from Ubuntu by means of the GnuPG web of trust.

e.g.
http://releases.ubuntu.com/trusty/SHA256SUMS
http://releases.ubuntu.com/trusty/SHA256SUMS.gpg

= End note =
Ubuntu does not use MD5 as the only, nor as default checksuming. It is not used 
to generate signatures. Please note that SSL, TLS, and GnuPG are all types of 
cryptographic signatures. Thus I'm not sure what you mean by some of your 
statements.

Overall we protect the content, rather than the protocol. And thus
support CDN distribution, global mirroring network and country mirrors.
Unlike TLS, the encryption key does not participate in establishing the
connection, and thus is maintained offline. Avoiding a class of problems
with leaking key material as has been demonstrated with TLS and heart-
bleed vulnerability.

The privacy issue is not addressed, this is true. However this alone
does not undermine the security and authenticity of Ubuntu update
process.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Dimitri John Ledkov]

Please let me know if you have further concerns.

** Changed in: ubuntu
   Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Matthew Paul Thomas]

This requires more than just switching to HTTPS. The updates UI will
also need to explain HTTPS failures in such a way that users don't seek
insecure workarounds.

Windows updates are being subjected to MITM patches. Windows Update
correctly fails to install them, but gives a vague error code. Googling
for a solution to the problem leads people to a direct download that is
not subject to the same security checking and can therefore be MITMed
successfully. 

Discouraging people from bypassing HTTPS errors is a problem also faced by 
browser designers.



-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Matthew Paul Thomas]

Fixing this might depend on bug 1185159 and/or bug 1209292.

** Description changed:

  Relying on signatures is silly. It gives attackers much more control
  over a situation, and we already know that this *doesn't work* when weak
  signatures like MD5 are used (see Flame hash collision). Is the average
  user going to get attacked this way, with a collision? Maybe not. But
  Ubuntu servers are going to get targeted, and updating over HTTP just
  doesn't make sense.
  
  Flame may have been a government attack aimed at other governments, but
  users were infected. They were attacked to get to the government
  systems. So whether you're a server or a high value target or whatever,
  there are people who will try to exploit this system. Preventing this is
  as simple as properly implementing HTTPS and encouraging third party
  developers to do the same with their packages..
  
  https://www.cs.arizona.edu/stork/packagemanagersecurity/
  
  https://en.wikipedia.org/wiki/Flame_(malware)#Operation
  
  HTTPS with HSTS in particular will prevent:
  
  1) An attacker from viewing traffic that can give them information as to
  the attack surface on a system. They can see which applications are at
  which versions, and how often the system is updating.
  
  2) It means that if the signing key is compromised the attacker can
  install their own updates via MITM.
  
  HTTPS prevents this.
  
  Is there any solid reason why updates are still over an insecure
  connection? Microsoft has updated over a secure connection for a year
  now.
+ 
+ The equivalent for the initial Ubuntu download is bug 1359836.
+ 
+ This bug was featured on HTTP Shaming.
+ 

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Colin O'Brien]

** This bug is no longer a duplicate of bug 247445
   Package managers vulnerable to replay and endless data attacks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Colin O'Brien]

*** This bug is a duplicate of bug 247445 ***
https://bugs.launchpad.net/bugs/247445

Like Chris Thompson said, completely different bug report. Not a
duplicate.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Chris Thompson]

*** This bug is a duplicate of bug 247445 ***
https://bugs.launchpad.net/bugs/247445

The linked bug is not a duplicate of this one. That bug was for the
replay and endless data attacks posed in the Stork work. This bug is
that the repositories are not served over HTTPS, which is another issue
that the Stork work pointed out.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Nick Rhodes]

*** This bug is a duplicate of bug 247445 ***
https://bugs.launchpad.net/bugs/247445

** This bug has been marked a duplicate of bug 247445
   Package managers vulnerable to replay and endless data attacks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Colin O'Brien]

I tried assigning ia32-apt-get but it says it isn't a package in Ubuntu.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Ubuntu Foundations Team Bug Bot]

Thank you for taking the time to report this bug and helping to make
Ubuntu better.  It seems that your bug report is not filed about a
specific source package though, rather it is just filed against Ubuntu
in general.  It is important that bug reports be filed about source
packages so that people interested in the package can find the bugs
about it.  You can find some hints about determining what package your
bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage.
You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit
https://bugs.launchpad.net/ubuntu/+bug/1186793/+editstatus and add the
package name in the text box next to the word Package.

[This is an automated message.  I apologize if it reached you
inappropriately; please just reply to this message indicating so.]

** Tags added: bot-comment

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1186793] Re: Updating is over insecure connection

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: ubuntu
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186793

Title:
  Updating is over insecure connection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs