[Bug 911497] New: Downloads from download.opensuse.org and mirrors open to man-in-the-middle attacks
http://bugzilla.opensuse.org/show_bug.cgi?id=911497 Bug ID: 911497 Summary: Downloads from download.opensuse.org and mirrors open to man-in-the-middle attacks Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: All OS: openSUSE 13.2 Status: NEW Severity: Major Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: cschroedl@usgs.gov QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Build Identifier: The checksums for the iso downloads of openSUSE 13.2 are not available over https. Checksums should be delivered over https in order to ensure the authenticity of the the download. Currently when a user attempts to download a file from download.opensuse.org, any man in the middle can serve a maliciously constructed iso with whatever software they want, and also serve a valid checksum of their malicious file. Without serving openSUSE checksums over https, users have no guarantee that they are installing secure software. Currently, the 13.2 download page (https://software.opensuse.org/132/en) only provides links to the checksums over http: http://download.opensuse.org/distribution/13.2/iso/openSUSE-13.2-DVD-x86_64.... http://download.opensuse.org/distribution/13.2/iso/openSUSE-13.2-DVD-x86_64.... http://download.opensuse.org/distribution/13.2/iso/openSUSE-13.2-DVD-x86_64.... Switching the protocol on the links from http to https yields timeout errors. In fact, it does not seem possible to access anything via https on download.opensuse.org, or on the mirrors. I discovered this vulnerability in the context of openSUSE 13.2, but it is probable that the problem is more widespread. To enable secure retrieval of openSUSE software, it must be possible (and perhaps mandatory) for checksums to be retrieved via https. It is not necessary to deliver the actual large download files over https as long as the checksums are delivered securely. Reproducible: Always Steps to Reproduce: 1.For example, access: https://download.opensuse.org/distribution/13.2/iso/openSUSE-13.2-DVD-x86_64... Actual Results: The connection times out Expected Results: Securely download the checksum This is a problem throughout the software industry. A brief survey of the problem is here: http://www.elvey.com/insecure/ -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=911497
Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=911497
Bernhard Wiedemann
gpg: Signature made Tue 04 Nov 2014 13:36:36 CET using RSA key ID 3DBDC284 gpg: Good signature from "openSUSE Project Signing Key
"
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=911497
Bernhard Wiedemann
http://bugzilla.opensuse.org/show_bug.cgi?id=911497
Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com