Differences between revisions 1 and 40 (spanning 39 versions)
Revision 1 as of 2014-09-24 00:48:52
Size: 1209
Editor: PaulWise
Comment: brain dump
Revision 40 as of 2021-03-28 10:52:55
Size: 4022
Editor: PaulWise
Comment: httpredir is dead, the domain is transitional
Deletions are marked like this. Additions are marked like this.
Line 6: Line 6:
 * SSL CA and DNSSEC/TLSA/DANE trust paths to Debian SSL certs
 * [[https://anonscm.debian.org/cgit/mirror/dsa-puppet.git/tree/modules/unbound/files/debian.org.key|SSL connection]] to the Debian DNSSEC keys
 * Official mirror run by DSA on the Tor network ([[http://richardhartmann.de/blog/posts/2015/08/24-Tor-enabled_Debian_mirror/|announcement]], [[http://richardhartmann.de/blog/posts/2015/08/25-Tor-enabled_Debian_mirror_part_2/|followup]]), unofficial ones run by Debian members too
 * netboot.tar.gz are verifiable via the OpenPGP-signed Release files
 * win32-loader is verifiable via the OpenPGP-signed files called [[http://ftp.debian.org/debian/extrafiles|extrafiles]]
 * deb.debian.org supports https
Line 9: Line 15:
 * No alternate trust paths to Debian or mirror SSL certs  * No OpenPGP trust paths (ie Monkeysphere) to Debian or mirror SSL certs
 * No OpenPGP trust paths to Debian DNSSEC keys
 * Not available in browser certificate pinning (HPKP)
Line 14: Line 22:
 * http.debian.net does not currently support https but can easily be made to
 * cdn.debian.net does not currently support https but with a lot of effort it can be made to
 * No mirrors that are Tor hidden services
 * win32-loader is not Windows-code-signed nor OpenPGP-signed
 * Security update notices are via email
 * No suggestions to or documentation about how to verify signatures
 * No downloads that use the [[http://www.w3.org/TR/SRI/#downloads-1|subresource integrity for downloads]] standard.
 * No magnet: links for bittorrent downloads on SSL
 * No magnet: links for bittorrent downloads on OpenPGP-signed email
 * No publishing of hashes of various things in Bitcoin/etc blockchains
 * win32-loader is not Windows-code-signed
 * win32-loader is not available in the Microsoft Windows Store
 * no Debian installer is not available in the Apple Store or other popular stores
Line 22: Line 35:
 * [[https://biterrant.io/|BitErrant]] attacks on BitTorrent via SHA-1 collisions
 * No ISO hashes available over HTTPS
 * More prominent OpenPGP fingerprints for ISOs
Line 23: Line 39:
 * Image downloader/writer programs that verify signatures and hashes
 * di-netboot-assistant does not verify things DebianBug:775904
 * snapshot.debian.org validation requires turning off Valid-Until, using expired signatures and old keys, idea for a fix in DebianBug:763419
 * [[https://lists.debian.org/deity/2014/02/msg00017.html|Possible apt sources.list improvements]]
 * [[UntrustedDebs|all .deb packages are ultimately trusted by the system]]
 * [[SHA-1]] is used in various places in Debian and by tools we use
 * [[TorifyDebianServices|Not all Debian services are on Tor onion services]]
 * Debian doesn't yet support binary transparency services (like [[http://boingboing.net/2016/03/10/using-distributed-code-signatu.html|Cothority]]
 * [[https://lists.debian.org/msgid-search/f90f8dba-010b-400a-d786-4d41509dca9f@gmail.com|buildds do not verify source packages against developer keyrings]]
 * [[http://worldwidemann.com/the-sad-state-of-linux-download-security/|User-oriented checklist]]
 * [[https://lists.debian.org/msgid-search/5349366.2255222.1468289218262.JavaMail.yahoo@mail.yahoo.com|More]]

== See also ==

 * [[http://www.scrye.com/wordpress/nirik/2016/02/23/a-fedora-distribution-download-primer/|Fedora's status and plans]]
 * [[http://blog.linuxmint.com/?p=3007|Linux Mint new security aspects]]
 * [[https://blogs.gnome.org/mcatanzaro/2016/03/12/do-you-trust-this-application/|Discussion of HTTPS, OpenPGP and ISOs etc]]

Solved

  • Debian websites use SSL certs verifiable by most existing OSes
  • Some mirrors have https enabled and use SSL certs verifiable by most existing OSes
  • Most suites have Valid-Until, preventing indefinite downgrade attacks
  • SSL CA and DNSSEC/TLSA/DANE trust paths to Debian SSL certs
  • SSL connection to the Debian DNSSEC keys

  • Official mirror run by DSA on the Tor network (announcement, followup), unofficial ones run by Debian members too

  • netboot.tar.gz are verifiable via the OpenPGP-signed Release files
  • win32-loader is verifiable via the OpenPGP-signed files called extrafiles

  • deb.debian.org supports https

Issues

  • No OpenPGP trust paths (ie Monkeysphere) to Debian or mirror SSL certs
  • No OpenPGP trust paths to Debian DNSSEC keys
  • Not available in browser certificate pinning (HPKP)
  • Mirror updates are not authenticated in any way
  • Most clients contacting mirrors reveal package names and version numbers
  • Most mirrors probably have default apache2 logging (recording packages, versions, IPs etc)
  • Mirrors list does not contain any info about https support
  • Security update notices are via email
  • No suggestions to or documentation about how to verify signatures
  • No downloads that use the subresource integrity for downloads standard.

  • No magnet: links for bittorrent downloads on SSL
  • No magnet: links for bittorrent downloads on OpenPGP-signed email
  • No publishing of hashes of various things in Bitcoin/etc blockchains
  • win32-loader is not Windows-code-signed
  • win32-loader is not available in the Microsoft Windows Store
  • no Debian installer is not available in the Apple Store or other popular stores
  • ISO images server and mirrors have the same issues as repository mirrors
  • Front page of Debian website links to an ISO image but no signature
  • Verifying the ISO images is a convoluted process
  • Torrent files for the ISO images are not able to be verified
  • BitErrant attacks on BitTorrent via SHA-1 collisions

  • No ISO hashes available over HTTPS
  • More prominent OpenPGP fingerprints for ISOs
  • Preinstalled systems are not able to be verified
  • Image downloader/writer programs that verify signatures and hashes
  • di-netboot-assistant does not verify things 775904

  • snapshot.debian.org validation requires turning off Valid-Until, using expired signatures and old keys, idea for a fix in 763419

  • Possible apt sources.list improvements

  • all .deb packages are ultimately trusted by the system

  • SHA-1 is used in various places in Debian and by tools we use

  • Not all Debian services are on Tor onion services

  • Debian doesn't yet support binary transparency services (like Cothority

  • buildds do not verify source packages against developer keyrings

  • User-oriented checklist

  • More

See also