Why no SSL for download.opensuse.org ?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Why no SSL for download.opensuse.org ?

Malte Gell
We have learned how much effort governments take to control and monitor
the Internet. With this in regard, wouldn´t it make sense to switch
download.opensuse.org to SSL? I know, rpm packages are signed with
GnuPG, but if you add a new repo an attacker still is able to give you a
forged GnuPG key and a forged repo, not the repo you actually tried to
subscribe to. Thus, GnuPG signing of rpm does not prohibit man in the
middle attacks. I think SSL for download.opensuse.org would give more
safety to people living in authoritarian regimes who want to download
openSUSE software.

Malte


signature.asc (567 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Why no SSL for download.opensuse.org ?

Eoin Kirwan-3
On Sat 06 Jul 2013 10:34:45 Malte Gell wrote:

> We have learned how much effort governments take to control and monitor
> the Internet. With this in regard, wouldn´t it make sense to switch
> download.opensuse.org to SSL? I know, rpm packages are signed with
> GnuPG, but if you add a new repo an attacker still is able to give you a
> forged GnuPG key and a forged repo, not the repo you actually tried to
> subscribe to. Thus, GnuPG signing of rpm does not prohibit man in the
> middle attacks. I think SSL for download.opensuse.org would give more
> safety to people living in authoritarian regimes who want to download
> openSUSE software.
>
> Malte

The downloads themselves don't need to be SSL. Nobody should really trust a
large download without a checksum or some other sort of error checking. Many
people use torrents now anyway, and often they're more reliable. But the
openSUSE web page with the checksums for the downloads should absolutely be
SSL. This should be easy to do.

Regards,

Eoin


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Why no SSL for download.opensuse.org ?

Carlos E. R.-2
In reply to this post by Malte Gell
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-ID: <[hidden email]>


On Saturday, 2013-07-06 at 10:34 +0200, Malte Gell wrote:

> We have learned how much effort governments take to control and monitor
> the Internet. With this in regard, wouldn´t it make sense to switch
> download.opensuse.org to SSL? I know, rpm packages are signed with
> GnuPG, but if you add a new repo an attacker still is able to give you a
> forged GnuPG key and a forged repo, not the repo you actually tried to
> subscribe to. Thus, GnuPG signing of rpm does not prohibit man in the
> middle attacks. I think SSL for download.opensuse.org would give more
> safety to people living in authoritarian regimes who want to download
> openSUSE software.

Not practical.

Most of the downloads do not come from download.opensuse.org, but from
mirrors all over the world. The certificate would apply to
download.opensuse.org, whereas the actual download might be comming from
anywhere (download.opensuse.org is a redirector); meaning they would not
match and the connection would be invalidated.

To do this you would force all mirrors to provide ssl with the proper
certificate (which costs money). Or opensuse.org would have to act as
certification authority.

What you need instead is convincing openSUSE to apply a good security
policy to the GnuPG signatures used.

For example, view this thread for more info:
<http://forums.opensuse.org/showthread.php?t=469581>


or vote:

<https://features.opensuse.org/312047>
make repo keys available on project's web site via SSL

or more info:

<https://forums.opensuse.org/english/other-forums/community-fun/general-chit-chat/448550-new-signing-key-opensuse-11-3-contrib-trust-not-trust.html>
<https://forums.opensuse.org/english/get-technical-help-here/install-boot-login/466970-new-repository-key-how-verify.html>

- --
Cheers,
        Carlos E. R.
        (from 12.3 x86_64 "Dartmouth" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlHZzskACgkQtTMYHG2NR9VRNACeOw5ObvpMLhceyeJKndzOKK5K
pDgAn1VSuAQxy0d77YKqoxxxcPheLXOv
=j7Rm
-----END PGP SIGNATURE-----