[opensuse-buildservice] Downloading (signing keys at least) from OBS via HTTPS?

newer
[opensuse-buildservice] dependency...

Archie Cobbs

11 Aug 2016 11 Aug '16

13:31

Although OBS provides signing keys, I'm pretty certain that the majority of users do not actually verify their fingerprints before selecting "Trust Always". Oh well it's not a perfect world. However, we could improve things a lot without requiring changing any behavior if the download site supported HTTPS access instead of only HTTP. Normal use of HTTPS is becoming standard practice these days - google, github, etc. For example, this HTTPS URL does NOT work: https://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repodat... instead you have to use insecure HTTP: http://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repodata... Any reason we can't secure OBS access? If not, can we at least do it for the signing key files themselves? With what we have now, and users tendency to "Trust Always" without thinking, the signing keys are not really doing what they could. -Archie -- Archie L. Cobbs -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

Show replies by date

Bruno Friedmann

11 Aug 11 Aug

14:58

On jeudi, 11 août 2016 08.31:02 h CEST Archie Cobbs wrote:

...

Although OBS provides signing keys, I'm pretty certain that the majority of users do not actually verify their fingerprints before selecting "Trust Always".

Oh well it's not a perfect world.

However, we could improve things a lot without requiring changing any behavior if the download site supported HTTPS access instead of only HTTP. Normal use of HTTPS is becoming standard practice these days - google, github, etc.

For example, this HTTPS URL does NOT work:

https://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repoda ta/repomd.xml.key

instead you have to use insecure HTTP:

http://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repodat a/repomd.xml.key

Any reason we can't secure OBS access? If not, can we at least do it for the signing key files themselves?

With what we have now, and users tendency to "Trust Always" without thinking, the signing keys are not really doing what they could.

-Archie

even if download.o.o was serving https download.o.o is a redirector so you will get the key from one mirror which certainly not offer all https. What to do ? Grab list of mirrors, and ask kindly to their hostmaster to install and support https Once all are done, things can be easily improved no ? ;-) -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch Bareos Partner, openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

Andreas Stieger

15:02

Hello, On 08/11/2016 04:58 PM, Bruno Friedmann wrote:

...

even if download.o.o was serving https download.o.o is a redirector so you will get the key from one mirror which certainly not offer all https.

Some items are excluded from redirection, and that includes keys.

...

What to do ? Grab list of mirrors, and ask kindly to their hostmaster to install and support https Once all are done, things can be easily improved no ?

HTTPS (signed by *any* CA) is a downgrade in security compared to signed metadata and packages. Andreas -- Andreas Stieger Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

Archie Cobbs

16:41

On Thu, Aug 11, 2016 at 10:02 AM, Andreas Stieger wrote:

...

HTTPS (signed by *any* CA) is a downgrade in security compared to signed metadata and packages.

True.. but just to be clear, we're talking about a specific (but common) scenario, which is when a user downloads the signing key via zypper ref, automatically answering "Trust Always?" with yes. In this scenario what we have today is delivery of that key via HTTP. I'm suggesting we change this to HTTPS, which is much more secure. Still the ideal, truly "correct" thing for everyone to do is not blindly "Trust Always" ... this would just be a practical improvement given the current state of things. Right now signing keys effectively provide no security. This change would bump that up to HTTPS security. -Archie -- Archie L. Cobbs -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

Per Jessen

16:49

Archie Cobbs wrote:

...

On Thu, Aug 11, 2016 at 10:02 AM, Andreas Stieger wrote:

...
HTTPS (signed by *any* CA) is a downgrade in security compared to signed metadata and packages.

True.. but just to be clear, we're talking about a specific (but common) scenario, which is when a user downloads the signing key via zypper ref, automatically answering "Trust Always?" with yes.

In this scenario what we have today is delivery of that key via HTTP. I'm suggesting we change this to HTTPS, which is much more secure.

That key isn't confidential (or is it?), so what might be gained by enabling https ? -- Per Jessen, Zürich (20.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

Archie Cobbs

16:58

On Thu, Aug 11, 2016 at 11:49 AM, Per Jessen wrote:

...

...
On Thu, Aug 11, 2016 at 10:02 AM, Andreas Stieger wrote:

...
HTTPS (signed by *any* CA) is a downgrade in security compared to signed metadata and packages.

True.. but just to be clear, we're talking about a specific (but common) scenario, which is when a user downloads the signing key via zypper ref, automatically answering "Trust Always?" with yes.

In this scenario what we have today is delivery of that key via HTTP. I'm suggesting we change this to HTTPS, which is much more secure.

That key isn't confidential (or is it?), so what might be gained by enabling https ?

Delivery of the key is vulnerable to a man-in-the-middle attack when using only HTTP. Any once you've installed my bogus signing key, I can sign any bogus package I want with it and you would trust it. -Archie -- Archie L. Cobbs -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

Martin Koegler

17:27

On Thu, Aug 11, 2016 at 11:58:24AM -0500, Archie Cobbs wrote:

...

On Thu, Aug 11, 2016 at 11:49 AM, Per Jessen wrote:

...
...
True.. but just to be clear, we're talking about a specific (but common) scenario, which is when a user downloads the signing key via zypper ref, automatically answering "Trust Always?" with yes.

In this scenario what we have today is delivery of that key via HTTP. I'm suggesting we change this to HTTPS, which is much more secure.

That key isn't confidential (or is it?), so what might be gained by enabling https ?

Delivery of the key is vulnerable to a man-in-the-middle attack when using only HTTP.

Are the signing keys somewhere shown in the WebUI? Regards, Martin -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

Adrian Schröter

12 Aug 12 Aug

12:46

On Donnerstag, 11. August 2016, 19:27:02 CEST wrote Martin Koegler:

...

On Thu, Aug 11, 2016 at 11:58:24AM -0500, Archie Cobbs wrote:

...
On Thu, Aug 11, 2016 at 11:49 AM, Per Jessen wrote:

...
...
True.. but just to be clear, we're talking about a specific (but common) scenario, which is when a user downloads the signing key via zypper ref, automatically answering "Trust Always?" with yes.

In this scenario what we have today is delivery of that key via HTTP. I'm suggesting we change this to HTTPS, which is much more secure.

That key isn't confidential (or is it?), so what might be gained by enabling https ?

Delivery of the key is vulnerable to a man-in-the-middle attack when using only HTTP.

Are the signing keys somewhere shown in the WebUI?

Not yet, but there is an open feature for it. You can get them using osc signkey $project but you need an account for that. -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

Per Jessen

07:46

Archie Cobbs wrote:

...

On Thu, Aug 11, 2016 at 11:49 AM, Per Jessen wrote:

...
...
On Thu, Aug 11, 2016 at 10:02 AM, Andreas Stieger wrote:

...
HTTPS (signed by *any* CA) is a downgrade in security compared to signed metadata and packages.

True.. but just to be clear, we're talking about a specific (but common) scenario, which is when a user downloads the signing key via zypper ref, automatically answering "Trust Always?" with yes.

In this scenario what we have today is delivery of that key via HTTP. I'm suggesting we change this to HTTPS, which is much more secure.

That key isn't confidential (or is it?), so what might be gained by enabling https ?

Delivery of the key is vulnerable to a man-in-the-middle attack when using only HTTP.

Any once you've installed my bogus signing key, I can sign any bogus package I want with it and you would trust it.

Okay. Well, technically I see there nothing preventing us from enabling https, we could use Let's Encrypt certificates for instance. Forcing https for anything that isn't mirrored should also be possible. I don't have the access to look into it, so maybe write to admin@opensuse.org and propose it. -- Per Jessen, Zürich (15.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

Adrian Schröter

12:54

On Donnerstag, 11. August 2016, 16:58:39 CEST wrote Bruno Friedmann:

...

On jeudi, 11 août 2016 08.31:02 h CEST Archie Cobbs wrote:

...
Although OBS provides signing keys, I'm pretty certain that the majority of users do not actually verify their fingerprints before selecting "Trust Always".

Oh well it's not a perfect world.

However, we could improve things a lot without requiring changing any behavior if the download site supported HTTPS access instead of only HTTP. Normal use of HTTPS is becoming standard practice these days - google, github, etc.

For example, this HTTPS URL does NOT work:

https://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repoda ta/repomd.xml.key

instead you have to use insecure HTTP:

http://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repodat a/repomd.xml.key

Any reason we can't secure OBS access? If not, can we at least do it for the signing key files themselves?

With what we have now, and users tendency to "Trust Always" without thinking, the signing keys are not really doing what they could.

-Archie

even if download.o.o was serving https download.o.o is a redirector so you will get the key from one mirror which certainly not offer all https.

we could deliver it itself, similar to what we do with meta data already.

...

What to do ? Grab list of mirrors, and ask kindly to their hostmaster to install and support https Once all are done, things can be easily improved no ? ;-)

However, redirection from https to another https or http works only if the client supports it. I do not have an overview atm which clients would break here ... -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

2824

Age (days ago)

2825

Last active (days ago)

List overview

Download

9 comments

6 participants

participants (6)

Adrian Schröter
Andreas Stieger
Archie Cobbs
Bruno Friedmann
Martin Koegler
Per Jessen