[opensuse-buildservice] Downloading (signing keys at least) from OBS via HTTPS?
Although OBS provides signing keys, I'm pretty certain that the majority of users do not actually verify their fingerprints before selecting "Trust Always". Oh well it's not a perfect world. However, we could improve things a lot without requiring changing any behavior if the download site supported HTTPS access instead of only HTTP. Normal use of HTTPS is becoming standard practice these days - google, github, etc. For example, this HTTPS URL does NOT work: https://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repodat... instead you have to use insecure HTTP: http://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repodata... Any reason we can't secure OBS access? If not, can we at least do it for the signing key files themselves? With what we have now, and users tendency to "Trust Always" without thinking, the signing keys are not really doing what they could. -Archie -- Archie L. Cobbs -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On jeudi, 11 août 2016 08.31:02 h CEST Archie Cobbs wrote:
Although OBS provides signing keys, I'm pretty certain that the majority of users do not actually verify their fingerprints before selecting "Trust Always".
Oh well it's not a perfect world.
However, we could improve things a lot without requiring changing any behavior if the download site supported HTTPS access instead of only HTTP. Normal use of HTTPS is becoming standard practice these days - google, github, etc.
For example, this HTTPS URL does NOT work:
https://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repoda ta/repomd.xml.key
instead you have to use insecure HTTP:
http://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repodat a/repomd.xml.key
Any reason we can't secure OBS access? If not, can we at least do it for the signing key files themselves?
With what we have now, and users tendency to "Trust Always" without thinking, the signing keys are not really doing what they could.
-Archie
even if download.o.o was serving https download.o.o is a redirector so you will get the key from one mirror which certainly not offer all https. What to do ? Grab list of mirrors, and ask kindly to their hostmaster to install and support https Once all are done, things can be easily improved no ? ;-) -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch Bareos Partner, openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hello, On 08/11/2016 04:58 PM, Bruno Friedmann wrote:
even if download.o.o was serving https download.o.o is a redirector so you will get the key from one mirror which certainly not offer all https.
Some items are excluded from redirection, and that includes keys.
What to do ? Grab list of mirrors, and ask kindly to their hostmaster to install and support https Once all are done, things can be easily improved no ?
HTTPS (signed by *any* CA) is a downgrade in security compared to signed
metadata and packages.
Andreas
--
Andreas Stieger
On Thu, Aug 11, 2016 at 10:02 AM, Andreas Stieger
HTTPS (signed by *any* CA) is a downgrade in security compared to signed metadata and packages.
True.. but just to be clear, we're talking about a specific (but common) scenario, which is when a user downloads the signing key via zypper ref, automatically answering "Trust Always?" with yes. In this scenario what we have today is delivery of that key via HTTP. I'm suggesting we change this to HTTPS, which is much more secure. Still the ideal, truly "correct" thing for everyone to do is not blindly "Trust Always" ... this would just be a practical improvement given the current state of things. Right now signing keys effectively provide no security. This change would bump that up to HTTPS security. -Archie -- Archie L. Cobbs -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Archie Cobbs wrote:
On Thu, Aug 11, 2016 at 10:02 AM, Andreas Stieger
wrote: HTTPS (signed by *any* CA) is a downgrade in security compared to signed metadata and packages.
True.. but just to be clear, we're talking about a specific (but common) scenario, which is when a user downloads the signing key via zypper ref, automatically answering "Trust Always?" with yes.
In this scenario what we have today is delivery of that key via HTTP. I'm suggesting we change this to HTTPS, which is much more secure.
That key isn't confidential (or is it?), so what might be gained by enabling https ? -- Per Jessen, Zürich (20.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Thu, Aug 11, 2016 at 11:49 AM, Per Jessen
On Thu, Aug 11, 2016 at 10:02 AM, Andreas Stieger
wrote: HTTPS (signed by *any* CA) is a downgrade in security compared to signed metadata and packages.
True.. but just to be clear, we're talking about a specific (but common) scenario, which is when a user downloads the signing key via zypper ref, automatically answering "Trust Always?" with yes.
In this scenario what we have today is delivery of that key via HTTP. I'm suggesting we change this to HTTPS, which is much more secure.
That key isn't confidential (or is it?), so what might be gained by enabling https ?
Delivery of the key is vulnerable to a man-in-the-middle attack when using only HTTP. Any once you've installed my bogus signing key, I can sign any bogus package I want with it and you would trust it. -Archie -- Archie L. Cobbs -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Thu, Aug 11, 2016 at 11:58:24AM -0500, Archie Cobbs wrote:
On Thu, Aug 11, 2016 at 11:49 AM, Per Jessen
wrote: True.. but just to be clear, we're talking about a specific (but common) scenario, which is when a user downloads the signing key via zypper ref, automatically answering "Trust Always?" with yes.
In this scenario what we have today is delivery of that key via HTTP. I'm suggesting we change this to HTTPS, which is much more secure.
That key isn't confidential (or is it?), so what might be gained by enabling https ?
Delivery of the key is vulnerable to a man-in-the-middle attack when using only HTTP.
Are the signing keys somewhere shown in the WebUI? Regards, Martin -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Donnerstag, 11. August 2016, 19:27:02 CEST wrote Martin Koegler:
On Thu, Aug 11, 2016 at 11:58:24AM -0500, Archie Cobbs wrote:
On Thu, Aug 11, 2016 at 11:49 AM, Per Jessen
wrote: True.. but just to be clear, we're talking about a specific (but common) scenario, which is when a user downloads the signing key via zypper ref, automatically answering "Trust Always?" with yes.
In this scenario what we have today is delivery of that key via HTTP. I'm suggesting we change this to HTTPS, which is much more secure.
That key isn't confidential (or is it?), so what might be gained by enabling https ?
Delivery of the key is vulnerable to a man-in-the-middle attack when using only HTTP.
Are the signing keys somewhere shown in the WebUI?
Not yet, but there is an open feature for it. You can get them using osc signkey $project but you need an account for that. -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Archie Cobbs wrote:
On Thu, Aug 11, 2016 at 11:49 AM, Per Jessen
wrote: On Thu, Aug 11, 2016 at 10:02 AM, Andreas Stieger
wrote: HTTPS (signed by *any* CA) is a downgrade in security compared to signed metadata and packages.
True.. but just to be clear, we're talking about a specific (but common) scenario, which is when a user downloads the signing key via zypper ref, automatically answering "Trust Always?" with yes.
In this scenario what we have today is delivery of that key via HTTP. I'm suggesting we change this to HTTPS, which is much more secure.
That key isn't confidential (or is it?), so what might be gained by enabling https ?
Delivery of the key is vulnerable to a man-in-the-middle attack when using only HTTP.
Any once you've installed my bogus signing key, I can sign any bogus package I want with it and you would trust it.
Okay. Well, technically I see there nothing preventing us from enabling https, we could use Let's Encrypt certificates for instance. Forcing https for anything that isn't mirrored should also be possible. I don't have the access to look into it, so maybe write to admin@opensuse.org and propose it. -- Per Jessen, Zürich (15.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Donnerstag, 11. August 2016, 16:58:39 CEST wrote Bruno Friedmann:
On jeudi, 11 août 2016 08.31:02 h CEST Archie Cobbs wrote:
Although OBS provides signing keys, I'm pretty certain that the majority of users do not actually verify their fingerprints before selecting "Trust Always".
Oh well it's not a perfect world.
However, we could improve things a lot without requiring changing any behavior if the download site supported HTTPS access instead of only HTTP. Normal use of HTTPS is becoming standard practice these days - google, github, etc.
For example, this HTTPS URL does NOT work:
https://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repoda ta/repomd.xml.key
instead you have to use insecure HTTP:
http://download.opensuse.org/repositories/Apache/openSUSE_Leap_42.1/repodat a/repomd.xml.key
Any reason we can't secure OBS access? If not, can we at least do it for the signing key files themselves?
With what we have now, and users tendency to "Trust Always" without thinking, the signing keys are not really doing what they could.
-Archie
even if download.o.o was serving https download.o.o is a redirector so you will get the key from one mirror which certainly not offer all https.
we could deliver it itself, similar to what we do with meta data already.
What to do ? Grab list of mirrors, and ask kindly to their hostmaster to install and support https Once all are done, things can be easily improved no ? ;-)
However, redirection from https to another https or http works only if the client supports it. I do not have an overview atm which clients would break here ... -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (6)
-
Adrian Schröter
-
Andreas Stieger
-
Archie Cobbs
-
Bruno Friedmann
-
Martin Koegler
-
Per Jessen