[Dev] Mirrors vulnerability issue, Many outdated installs in the wild
Denis 'GNUtoo' Carikli
GNUtoo at no-log.org
Sun Feb 14 17:40:42 GMT 2016
In order for upgrades to be safe, signatures are not enough.
This is because most old packages are signed with a key that is
trusted by the system being updated.
Even if db are signed, that stills applies.
The main idea is to:
--------------------
-> Prevent MITM attacks. This should be done soon in my opinion.
-> Prevent not updated mirrors from being picked up by pacman, this
doesn't address the malicious mirrors concern.
-> Prevent malicious mirrors.
On Sat, 13 Feb 2016 23:06:38 +0100
Denis 'GNUtoo' Carikli <GNUtoo at no-log.org> wrote:
> How should Parabola deal with it:
> ---------------------------------
> We need various solutions, for shorter and longer term.
As said, I think we should enforce https or onion for mirrors.
This is to prevents MITM. I however wonder how to enforce the security
of TLS, since it can be configured to be unsafe on both, the server side
and the client side.
With that done, just having the mirrorlist hosted by parabola (for
instance in a parabola/mirrorlist) protects against malicious MITM,
mirrors not being updated for various reasons.
I however wonder what would happen if a mirror also include an old
version of the mirrorlist.
Can it do that, or does the db prevent that, it probably would if it
was signed by parabola.
A malicious mirror would then have theses options left:
-> Have a version of the mirror served that was made before the move
of the mirrorlists. I guess that would be notified easily and very
unpractical since, in the long run, it would only contain software
that is older than what is running on the user's computer.
-> As a mirror, pacman will contact it, and it might still be able to
instead of hosting the usual packages, host an older version of the
mirrorlist.
Still even deploying that would be more secure than the current status.
> Medium term:
> ------------
> We might want to split the db update files from the packages, and make
> the parabola infrastructure serve them, still with a transport that
> can't be tempered with to avoid man in the middle attacks.
We might also want to prevent pacman from picking it from a mirror that
is not supposed to host it (like a mirror that already hosts the usual
packages)
Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160214/eef47fd0/attachment.sig>
More information about the Dev
mailing list