On Fri, May 30, 2014 at 8:15 PM, Alfie John wrote:
> Taking a look at the Debian mirror list, I see none serving over HTTPS:
>
> https://www.debian.org/mirror/list
Then you aren't trying hard enough, several of them support https,
these ones at least:
https://mirrors.kernel.org/debian/
https:/
On Sat, May 31, 2014 at 2:41 AM, W. Martin Borgert wrote:
> in a VM or a container (not sure, whether a docker container is
> considered safe enough, but chroot is not sufficient).
One of the Debian Linux kernel package maintainers doesn't consider
containers to be secure enough to rely solely on
On Fri, May 30, 2014 at 09:43:47PM +0200, Erwan David wrote:
Note that at least debian.org DNS is segned by DNSSEC and DANE is used,
which allows to check that the certificate used by a debian.org site is
the real one.
We're not at the point where that can be relied on in the real world.
There
Le 30/05/2014 22:02, Henrique de Moraes Holschuh a écrit :
> On Fri, 30 May 2014, Erwan David wrote:
>> Le 30/05/2014 21:30, Joey Hess a écrit :
>>> Alfie John wrote:
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
>>> https://m
On Fri, 30 May 2014, Erwan David wrote:
> Le 30/05/2014 21:30, Joey Hess a écrit :
> > Alfie John wrote:
> >> Taking a look at the Debian mirror list, I see none serving over HTTPS:
> >> https://www.debian.org/mirror/list
> > https://mirrors.kernel.org/debian is the only one I know of.
> >
> > It
Le 30/05/2014 21:30, Joey Hess a écrit :
> Alfie John wrote:
>> Taking a look at the Debian mirror list, I see none serving over HTTPS:
>>
>> https://www.debian.org/mirror/list
> https://mirrors.kernel.org/debian is the only one I know of.
>
> It would be good to have a few more, because there ar
Alfie John wrote:
> Taking a look at the Debian mirror list, I see none serving over HTTPS:
>
> https://www.debian.org/mirror/list
https://mirrors.kernel.org/debian is the only one I know of.
It would be good to have a few more, because there are situations where
debootstrap is used without de
Quoting Jeremie Marguerie :
Thanks for bringing that issue! I feel the same way when I install a
packet from a non-official PPA.
Unfortunately, every package can do anything: pre-inst, post-inst,
pre-rm, post-rm run as root. If you don't trust a PPA the same way
you trust your OS vendor (Debian
On Fri, May 30, 2014 at 10:35:58AM -0700, Jeremie Marguerie wrote:
In the end, the PPA can do pretty much whatever it wants from your
system and this is scary. This is a hard problem to protect against
and the only protection I see is... only install PPAs you can trust.
Yup; any pinning mechani
On 30.05.2014 21:35, Jeremie Marguerie wrote:
To "protect" openssh-server you would need to prevent modification of
its dependency. But the PPA could just install a program that
overrides the openssh-server manually (without doing that from APT).
In this case, unless you run debsums you wouldn'
On Fri, May 30, 2014 at 10:03 AM, Hans Spaans wrote:
> What basically is missing for a running system is repository signing key
> pinning for packages that would "prevent" that a third party repository
> could upgrade components provided by the base OS. How many of us didn't
> added debian-multime
On vr, 2014-05-30 at 10:53 -0400, Michael Stone wrote:
> On Sat, May 31, 2014 at 12:46:12AM +1000, Alfie John wrote:
> >Sorry for asking questions.
>
> Don't apologize for asking questions, it's perfectly reasonable to do so
> and you'll find that many people in debian are more than happy to answ
From: Daniel
To: Alfie John ; debian-security@lists.debian.org
Sent: Friday, May 30, 2014 10:16 PM
Subject: Re: Debian mirrors and MITM
> The thing is: When you download an .iso file, that .iso file also contains a
> signing key used to verify each package i
On Sat, May 31, 2014 at 12:46:12AM +1000, Alfie John wrote:
Sorry for asking questions.
Don't apologize for asking questions, it's perfectly reasonable to do so
and you'll find that many people in debian are more than happy to answer
questions. Just make sure that you put in enough effort you
On Sat, May 31, 2014, at 12:39 AM, Michael Stone wrote:
> On Sat, May 31, 2014 at 12:32:59AM +1000, Alfie John wrote:
> >I'm definitely wanting to engage in serious discussion. I'm an avid
> >Debian user and am wanting to protect its users. This *is* the Debian
> >security mailing list after all ri
On May 30, 2014, at 10:11 AM, Alfie John wrote:
>
>>. keeps an adversary who may be listening on the wire from
>> looking at what you are installing. who cares what you are
>> installing? well it turns out that is very interesting
>> information. If you can see
I have to laugh at this, my phone was going off constantly this morning,
and I was thinking "I don't have this much email normally!" Looked over
the discussion and thought, "didn't this discussion happen recently?"
It was something I was randomly thinking about one day too, but really
plain-tex
On Sat, May 31, 2014, at 12:11 AM, Michael Stone wrote:
> On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote:
> >Several times (public and private) I tried to explain how the
> >download of APT (the binary itself) on an initial Debian install
> >could be compromised via MITM since it's over
On Sat, May 31, 2014 at 12:32:59AM +1000, Alfie John wrote:
I'm definitely wanting to engage in serious discussion. I'm an avid
Debian user and am wanting to protect its users. This *is* the Debian
security mailing list after all right? All I was trying to do is ask
questions as to why it is curr
On Sat, May 31, 2014 at 12:11:28AM +1000, Alfie John wrote:
On Sat, May 31, 2014, at 12:06 AM, micah anderson wrote:
. keeps an adversary who may be listening on the wire from
looking at what you are installing. who cares what you are
installing? well it turns out tha
On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote:
> Several times (public and private) I tried to explain how the download
> of APT (the binary itself) on an initial Debian install could be
> compromised via MITM since it's over plaintext. Then the verification of
> packages could simply
On Fri, May 30, 2014 at 11:50:32PM +1000, Alfie John wrote:
Several times (public and private) I tried to explain how the download
of APT (the binary itself) on an initial Debian install could be
compromised via MITM since it's over plaintext. Then the verification of
packages could simply be ski
On Sat, May 31, 2014, at 12:06 AM, micah anderson wrote:
> >> > The cryptographic signatures that are validated automatically by
> >> > apt.
> >>
> >> What's stopping the attacker from serving a compromised apt?
> >
> > apt will check that the new apt is properly signed.
>
> This entire secure arti
On May 30, 2014, at 9:50 AM, Alfie John wrote:
>>
>> The whole point here is that Debian is already verifying the content it
>> is receiving from any given data source. This was done from the very
>> beginning because anyone can mirror and distribute Debian software. So
>> unless there is a fla
Kurt Roeckx writes:
> On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
>> On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
>> > On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
>> > >The public Debian mirrors seem like an obvious target for governments to
>> > >MITM.
On Fri, May 30, 2014, at 11:37 PM, Reid Sutherland wrote:
> >> Oh, and those key fingerprints are on an https page for those who
> >> actually trust the CA system.
> >
> > That was my next question. If the fingerprints are on a HTTPS served
> > page, then yes that seems like a valid solution.
> >
On May 30, 2014, at 9:30 AM, Alfie John wrote:
> On Fri, May 30, 2014, at 11:27 PM, Michael Stone wrote:
>> On Fri, May 30, 2014 at 09:24:47AM -0400, Michael Stone wrote:
>>> That's why you verify the initial install media per the link I posted
>>> earlier...
>>
>> Oh, and those key fingerprint
On Fri, May 30, 2014, at 11:29 PM, Michael Stone wrote:
> On Fri, May 30, 2014 at 11:25:58PM +1000, Alfie John wrote:
> >Well yes, that's something. But serving Debian over HTTPS would prevent
> >the need for this.
>
> No, it wouldn't--you'd just have a different set of problems. Given that
> mir
On Fri, May 30, 2014, at 11:27 PM, Michael Stone wrote:
> On Fri, May 30, 2014 at 09:24:47AM -0400, Michael Stone wrote:
> >That's why you verify the initial install media per the link I posted
> >earlier...
>
> Oh, and those key fingerprints are on an https page for those who
> actually trust the
On Fri, May 30, 2014 at 11:25:58PM +1000, Alfie John wrote:
Well yes, that's something. But serving Debian over HTTPS would prevent
the need for this.
No, it wouldn't--you'd just have a different set of problems. Given that
mirrors are distributed, it would probably be much more likely that
y
On Fri, May 30, 2014 at 09:24:47AM -0400, Michael Stone wrote:
That's why you verify the initial install media per the link I posted
earlier...
Oh, and those key fingerprints are on an https page for those who
actually trust the CA system.
--
To UNSUBSCRIBE, email to debian-security-requ...
Yes, but I think this time it will not be better...
Some (most?) mirrors are supporting https. If you want to use https just try
which mirrors are supporting it.
ftp.us.d.o will not work very good because of the DNS round robin.
On 30. Mai 2014 15:16:29 MESZ, Alfie John wrote:
>On Fri, May 30,
On Fri, May 30, 2014, at 11:24 PM, Michael Stone wrote:
> On Fri, May 30, 2014 at 11:13:31PM +1000, Alfie John wrote:
> >As what I posted earlier, all you would need to do is to MITM the
> >install of APT during an install. Who cares what the signatures look
> >like since you've NOPed the checksumm
On Fri, May 30, 2014 at 11:13:31PM +1000, Alfie John wrote:
As what I posted earlier, all you would need to do is to MITM the
install of APT during an install. Who cares what the signatures look
like since you've NOPed the checksumming code!
That's why you verify the initial install media per t
On Fri, May 30, 2014, at 11:17 PM, Reid Sutherland wrote:
> > As what I posted earlier, all you would need to do is to MITM the
> > install of APT during an install. Who cares what the signatures look
> > like since you've NOPed the checksumming code!
>
> So OpenSSL can be flawed and nobody bats a
On May 30, 2014, at 9:13 AM, Alfie John wrote:
> On Fri, May 30, 2014, at 11:08 PM, Adam D. Barratt wrote:
The cryptographic signatures that are validated automatically by apt.
>>>
>>> What's stopping the attacker from serving a compromised apt?
>>
>> How would you get the client's system
On Fri, May 30, 2014, at 11:03 PM, Estelmann, Christian wrote:
> In Oct 2013 a similar discussion startet
> https://lists.debian.org/debian-security/2013/10/msg00027.html
Thanks for the link, but that discussion went nowhere pretty fast.
Alfie
--
Alfie John
alf...@fastmail.fm
--
To UNSUB
On Fri, May 30, 2014, at 11:08 PM, Adam D. Barratt wrote:
> >> The cryptographic signatures that are validated automatically by apt.
> >
> > What's stopping the attacker from serving a compromised apt?
>
> How would you get the client's system to install it in the first place?
> (More specifical
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
> On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
> > On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
> > >The public Debian mirrors seem like an obvious target for governments to
> > >MITM. I know that the MD5s are als
On 2014-05-30 13:43, Alfie John wrote:
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
>The public Debian mirrors seem like an obvious target for governments to
>MITM. I know that the MD5s are also published, but unless you're
>
In Oct 2013 a similar discussion startet
https://lists.debian.org/debian-security/2013/10/msg00027.html
On 30. Mai 2014 14:15:01 MESZ, Alfie John wrote:
>Hi guys,
>
>Taking a look at the Debian mirror list, I see none serving over HTTPS:
>
> https://www.debian.org/mirror/list
>
>The public Debia
On 30/05/2014 8:52 PM, Michael Stone wrote:
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
What's stopping the attacker from serving a compromised apt?
https://www.debian.org/CD/verify
That will cover the installer, for the packages see:
https://wiki.debian.org/SecureApt
--
On Fri, May 30, 2014, at 10:49 PM, Chris Boot wrote:
> >> The cryptographic signatures that are validated automatically by apt.
> >
> > What's stopping the attacker from serving a compromised apt?
>
> Oh god not this again.
>
> How exactly does using HTTPS solve this particular problem, anyway?
On 30/05/14 13:43, Alfie John wrote:
> On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
>> On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
>>> The public Debian mirrors seem like an obvious target for governments to
>>> MITM. I know that the MD5s are also published, but unless yo
On Fri, May 30, 2014, at 10:43 PM, Alfie John wrote:
> > The cryptographic signatures that are validated automatically by apt.
>
> What's stopping the attacker from serving a compromised apt?
Thinking about this more, If I wanted to target a Debian system via
MITM, serving a compromised APT woul
On Fri, May 30, 2014 at 10:43:56PM +1000, Alfie John wrote:
What's stopping the attacker from serving a compromised apt?
https://www.debian.org/CD/verify
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.deb
On Fri, May 30, 2014, at 10:24 PM, Michael Stone wrote:
> On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
> >The public Debian mirrors seem like an obvious target for governments to
> >MITM. I know that the MD5s are also published, but unless you're
> >verifying them with third parties,
On Fri, May 30, 2014 at 10:15:01PM +1000, Alfie John wrote:
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
verifying them with third parties, what's stopping the MD5s being
compromised too?
The cryptograp
Hi guys,
Taking a look at the Debian mirror list, I see none serving over HTTPS:
https://www.debian.org/mirror/list
The public Debian mirrors seem like an obvious target for governments to
MITM. I know that the MD5s are also published, but unless you're
verifying them with third parties, what'
49 matches
Mail list logo
