[Dev] Mirrors vulnerability issue, Many outdated installs in the wild

Denis 'GNUtoo' Carikli GNUtoo at no-log.org
Sun Feb 14 17:40:42 GMT 2016 

In order for upgrades to be safe, signatures are not enough.
This is because most old packages are signed with a key that is
trusted by the system being updated.
Even if db are signed, that stills applies.

The main idea is to:
--------------------
-> Prevent MITM attacks. This should be done soon in my opinion.
-> Prevent not updated mirrors from being picked up by pacman, this
   doesn't address the malicious mirrors concern.
-> Prevent malicious mirrors.

On Sat, 13 Feb 2016 23:06:38 +0100
Denis 'GNUtoo' Carikli <GNUtoo at no-log.org> wrote:

> How should Parabola deal with it:
> ---------------------------------
> We need various solutions, for shorter and longer term.
As said, I think we should enforce https or onion for mirrors.
This is to prevents MITM. I however wonder how to enforce the security
of TLS, since it can be configured to be unsafe on both, the server side
and the client side.

With that done, just having the mirrorlist hosted by parabola (for
instance in a parabola/mirrorlist) protects against malicious MITM,
mirrors not being updated for various reasons.
I however wonder what would happen if a mirror also include an old
version of the mirrorlist.
Can it do that, or does the db prevent that, it probably would if it
was signed by parabola.
A malicious mirror would then have theses options left:
-> Have a version of the mirror served that was made before the move
   of the mirrorlists. I guess that would be notified easily and very
   unpractical since, in the long run, it would only contain software
   that is older than what is running on the user's computer.
-> As a mirror, pacman will contact it, and it might still be able to
   instead of hosting the usual packages, host an older version of the
   mirrorlist.

Still even deploying that would be more secure than the current status.

> Medium term:
> ------------
> We might want to split the db update files from the packages, and make
> the parabola infrastructure serve them, still with a transport that
> can't be tempered with to avoid man in the middle attacks.
We might also want to prevent pacman from picking it from a mirror that
is not supposed to host it (like a mirror that already hosts the usual
packages)

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160214/eef47fd0/attachment.sig>

More information about the Dev mailing list