Doubt on the security model of OBS repo signing

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Doubt on the security model of OBS repo signing

star
## Prelude

Recently I received checksum error during system upgrade, something like
this:

> 2017-09-11 20:28:48 <1> brilliant-laptop(25623) [zypp++]
> MediaCurl.cc(log_redirects_curl):135 redirecting to Location:
> http://ftp-srv2.kddilabs.jp/Linux/packages/opensuse/tumbleweed/repo/oss/suse/noarch/qemu-sgabios-8-1.1.noarch.rpm
> 2017-09-11 20:28:48 <2> brilliant-laptop(25623) [FileChecker]
> FileChecker.cc(operator()):64 File
> /var/cache/zypp/packages/repo-oss/suse/noarch/qemu-sgabios-8-1.1.noarch.rpm
> has wrong checksum sha1-1f96e12b066af531cec4d104fa4522966fb8af4f
> (expected sha1-18f04703e82b012340400398f0b7404b07b77769)

I think my ISP might have a transparent proxy server to save their
bandwidth, and the file on that proxy server might be broken. I have
been even once offered a corrupted installer ISO! (which installed
without any error in a test VM.)

I am not sure if I am suffering from a deliberate MITM attack. So I
spent some time investigating the security model of openSUSE package
delivering.

## Investigation

I set up Wireshark and some other tools to capture the network data.
Here are my findings. (If anything below is wrong, please tell me.)

- All official repos (repo-debug, repo-non-oss, repo-oss, repo-source,
repo-update) are HTTP, but their GPG keys are preloaded in the installer
ISO. If the user checksums their installation media, this will be safe
enough.
- If the user choose to One-Click-Install an "unstable package" on
software.opensuse.org, the ymp script is served in HTTPS, but OBS
repository URLs are HTTP by default.
- OneClickInstallUI fetches repomod.xml.key in plain HTTP, and asks the
user whether to "Import Untrusted GPG Key".
- It is not easy to check whether the GPG key is correct by hand & eye.
At least it is not one-click-available, since the "GPG Key / SSL
Certificate" button is only visible on the page of your own OBS project.
- It is lucky that repomod.xml.key is not distributed to 3rd-party
mirrors by MirrorBrain. Although mirrors can do no evil to the key, it
might still be vulnerable to an MITM attack.

Conclution, official repos are safe, but OBS repos are something we
might be careful.

Although openSUSE is not responsible for the quality of the software in
user repos, it had better to lengthen the shortest stave on the security
barrel for the user.

## Suggestions

It might be difficult to modify the current architecture. I want to
suggest some ways to make it better. I am not sure if they works, let's
just discuss them.

1. Embedding the GPG key in ymp script.
This might require modification to OneClickInstallUI, and it is safe
once ymp is served with HTTPS.
Any 3rd-party repo may benefit from the feature by embedding their keys.

2. Showing GPG key in a place where the user can never miss it. Also
educate the user to check it.
This include not hiding the "GPG Key / SSL Certificate" button to repo
not owned by oneself.
In addition, put it on both build.opensuse.org and
software.opensuse.org.

3. Alternatively, serving the repo metadata in HTTPS, but packages in
HTTP.
This requires least modification to the client. Since repomod.xml.key is
already bypassing MirrorBrain, simply modify the repo's URL to HTTPS
will make it safe.
As side-effects, it will increase the load to download.opensuse.org
server, and will increase the time required to do a "zypper refresh".

Anyway, if I made any mistake in this mail, please tell me. I hope
openSUSE could be more secure and easier to use.

--
StarBrilliant
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Doubt on the security model of OBS repo signing

Marcus Meissner
Hi,

Thank you for your long and detailed E-Mail!

On Tue, Sep 12, 2017 at 12:51:13AM +0800, [hidden email] wrote:

> ## Prelude
>
> Recently I received checksum error during system upgrade, something like
> this:
>
> >2017-09-11 20:28:48 <1> brilliant-laptop(25623) [zypp++]
> >MediaCurl.cc(log_redirects_curl):135 redirecting to Location: http://ftp-srv2.kddilabs.jp/Linux/packages/opensuse/tumbleweed/repo/oss/suse/noarch/qemu-sgabios-8-1.1.noarch.rpm
> >2017-09-11 20:28:48 <2> brilliant-laptop(25623) [FileChecker]
> >FileChecker.cc(operator()):64 File
> >/var/cache/zypp/packages/repo-oss/suse/noarch/qemu-sgabios-8-1.1.noarch.rpm
> >has wrong checksum sha1-1f96e12b066af531cec4d104fa4522966fb8af4f (expected
> >sha1-18f04703e82b012340400398f0b7404b07b77769)
>
> I think my ISP might have a transparent proxy server to save their
> bandwidth, and the file on that proxy server might be broken. I have been
> even once offered a corrupted installer ISO! (which installed without any
> error in a test VM.)
>
> I am not sure if I am suffering from a deliberate MITM attack. So I spent
> some time investigating the security model of openSUSE package delivering.
>
> ## Investigation
>
> I set up Wireshark and some other tools to capture the network data. Here
> are my findings. (If anything below is wrong, please tell me.)
>
> - All official repos (repo-debug, repo-non-oss, repo-oss, repo-source,
> repo-update) are HTTP, but their GPG keys are preloaded in the installer
> ISO. If the user checksums their installation media, this will be safe
> enough.

This is correct.

> - If the user choose to One-Click-Install an "unstable package" on
> software.opensuse.org, the ymp script is served in HTTPS, but OBS repository
> URLs are HTTP by default.
> - OneClickInstallUI fetches repomod.xml.key in plain HTTP, and asks the user
> whether to "Import Untrusted GPG Key".
> - It is not easy to check whether the GPG key is correct by hand & eye. At
> least it is not one-click-available, since the "GPG Key / SSL Certificate"
> button is only visible on the page of your own OBS project.

This is also correct.

> - It is lucky that repomod.xml.key is not distributed to 3rd-party mirrors
> by MirrorBrain. Although mirrors can do no evil to the key, it might still
> be vulnerable to an MITM attack.

This is intentional delivered only by download.opensuse.org, the repomd*
files are delivered only by that host.

> Conclution, official repos are safe, but OBS repos are something we might be
> careful.
>
> Although openSUSE is not responsible for the quality of the software in user
> repos, it had better to lengthen the shortest stave on the security barrel
> for the user.
>
> ## Suggestions
>
> It might be difficult to modify the current architecture. I want to suggest
> some ways to make it better. I am not sure if they works, let's just discuss
> them.
>
> 1. Embedding the GPG key in ymp script.
> This might require modification to OneClickInstallUI, and it is safe once
> ymp is served with HTTPS.
> Any 3rd-party repo may benefit from the feature by embedding their keys.
>
> 2. Showing GPG key in a place where the user can never miss it. Also educate
> the user to check it.
> This include not hiding the "GPG Key / SSL Certificate" button to repo not
> owned by oneself.
> In addition, put it on both build.opensuse.org and software.opensuse.org.
>
> 3. Alternatively, serving the repo metadata in HTTPS, but packages in HTTP.
> This requires least modification to the client. Since repomod.xml.key is
> already bypassing MirrorBrain, simply modify the repo's URL to HTTPS will
> make it safe.
> As side-effects, it will increase the load to download.opensuse.org server,
> and will increase the time required to do a "zypper refresh".
>
> Anyway, if I made any mistake in this mail, please tell me. I hope openSUSE
> could be more secure and easier to use.

We have a while ago enabled https support on download.opensuse.org and
the next step is what you suggest in "Step 3" for us, namely changing
software.opensuse.org to deliver https instead of http URLs.

(I had opened https://github.com/openSUSE/software-o-o/issues/123 a while ago
and sent a pull request after receiving your e-mail.)

The GPG chain of trust model is tricky for package management and we have
been reviewing improvements on that on or off, there likely is work to do.

Ciao, Marcus for SUSE Security
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Doubt on the security model of OBS repo signing

star
On 2017-09-13 23:26, Marcus Meissner wrote:
> Hi,
>
> Thank you for your long and detailed E-Mail!

I'm really sorry for having written too much.
Here's a short summary for other readers who don't want to read the
previous mail:
The GPG keys for OBS are delivered in plain HTTP and require manual
check, which could be improved.

> We have a while ago enabled https support on download.opensuse.org and
> the next step is what you suggest in "Step 3" for us, namely changing
> software.opensuse.org to deliver https instead of http URLs.
>
> (I had opened https://github.com/openSUSE/software-o-o/issues/123 a
> while ago
> and sent a pull request after receiving your e-mail.)
>
> The GPG chain of trust model is tricky for package management and we
> have
> been reviewing improvements on that on or off, there likely is work to
> do.

Thank you for your efforts on making openSUSE better!

By the way, have you considered those 2 other suggestions? (embedding
GPG into ymp file, displaying GPG key in OBS project page)
Embedding the key also opens an opportunity for 3rd-party commercial
software repo, so they don't need a separate "rpm --import".

--
Best regards,
StarBrilliant
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Doubt on the security model of OBS repo signing

Marcus Meissner
Hi,
On Thu, Sep 14, 2017 at 12:12:34AM +0800, [hidden email] wrote:
> On 2017-09-13 23:26, Marcus Meissner wrote:
> >Hi,
> >
> >Thank you for your long and detailed E-Mail!
>
> I'm really sorry for having written too much.

No problem, that was fine :)

> Here's a short summary for other readers who don't want to read the previous
> mail:
> The GPG keys for OBS are delivered in plain HTTP and require manual check,
> which could be improved.
>
> >We have a while ago enabled https support on download.opensuse.org and
> >the next step is what you suggest in "Step 3" for us, namely changing
> >software.opensuse.org to deliver https instead of http URLs.
> >
> >(I had opened https://github.com/openSUSE/software-o-o/issues/123 a while
> >ago
> >and sent a pull request after receiving your e-mail.)
> >
> >The GPG chain of trust model is tricky for package management and we have
> >been reviewing improvements on that on or off, there likely is work to do.
>
> Thank you for your efforts on making openSUSE better!
>
> By the way, have you considered those 2 other suggestions? (embedding GPG
> into ymp file, displaying GPG key in OBS project page)
> Embedding the key also opens an opportunity for 3rd-party commercial
> software repo, so they don't need a separate "rpm --import".

So far we did not consider embedding GPG keys into the YMP themselves,
this is a nice idea.

The OBS project page does only show it occasionaly as you wrote, so this could be improved more.

This is a bigger topic where we need to do more reviews and research and also
design how to best integrate it into the package management tools. :/

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]