[opensuse-security] Doubt on the security model of OBS repo signing
## Prelude Recently I received checksum error during system upgrade, something like this:
2017-09-11 20:28:48 <1> brilliant-laptop(25623) [zypp++] MediaCurl.cc(log_redirects_curl):135 redirecting to Location: http://ftp-srv2.kddilabs.jp/Linux/packages/opensuse/tumbleweed/repo/oss/suse... 2017-09-11 20:28:48 <2> brilliant-laptop(25623) [FileChecker] FileChecker.cc(operator()):64 File /var/cache/zypp/packages/repo-oss/suse/noarch/qemu-sgabios-8-1.1.noarch.rpm has wrong checksum sha1-1f96e12b066af531cec4d104fa4522966fb8af4f (expected sha1-18f04703e82b012340400398f0b7404b07b77769)
I think my ISP might have a transparent proxy server to save their bandwidth, and the file on that proxy server might be broken. I have been even once offered a corrupted installer ISO! (which installed without any error in a test VM.) I am not sure if I am suffering from a deliberate MITM attack. So I spent some time investigating the security model of openSUSE package delivering. ## Investigation I set up Wireshark and some other tools to capture the network data. Here are my findings. (If anything below is wrong, please tell me.) - All official repos (repo-debug, repo-non-oss, repo-oss, repo-source, repo-update) are HTTP, but their GPG keys are preloaded in the installer ISO. If the user checksums their installation media, this will be safe enough. - If the user choose to One-Click-Install an "unstable package" on software.opensuse.org, the ymp script is served in HTTPS, but OBS repository URLs are HTTP by default. - OneClickInstallUI fetches repomod.xml.key in plain HTTP, and asks the user whether to "Import Untrusted GPG Key". - It is not easy to check whether the GPG key is correct by hand & eye. At least it is not one-click-available, since the "GPG Key / SSL Certificate" button is only visible on the page of your own OBS project. - It is lucky that repomod.xml.key is not distributed to 3rd-party mirrors by MirrorBrain. Although mirrors can do no evil to the key, it might still be vulnerable to an MITM attack. Conclution, official repos are safe, but OBS repos are something we might be careful. Although openSUSE is not responsible for the quality of the software in user repos, it had better to lengthen the shortest stave on the security barrel for the user. ## Suggestions It might be difficult to modify the current architecture. I want to suggest some ways to make it better. I am not sure if they works, let's just discuss them. 1. Embedding the GPG key in ymp script. This might require modification to OneClickInstallUI, and it is safe once ymp is served with HTTPS. Any 3rd-party repo may benefit from the feature by embedding their keys. 2. Showing GPG key in a place where the user can never miss it. Also educate the user to check it. This include not hiding the "GPG Key / SSL Certificate" button to repo not owned by oneself. In addition, put it on both build.opensuse.org and software.opensuse.org. 3. Alternatively, serving the repo metadata in HTTPS, but packages in HTTP. This requires least modification to the client. Since repomod.xml.key is already bypassing MirrorBrain, simply modify the repo's URL to HTTPS will make it safe. As side-effects, it will increase the load to download.opensuse.org server, and will increase the time required to do a "zypper refresh". Anyway, if I made any mistake in this mail, please tell me. I hope openSUSE could be more secure and easier to use. -- StarBrilliant -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hi, Thank you for your long and detailed E-Mail! On Tue, Sep 12, 2017 at 12:51:13AM +0800, star@aosc.io wrote:
## Prelude
Recently I received checksum error during system upgrade, something like this:
2017-09-11 20:28:48 <1> brilliant-laptop(25623) [zypp++] MediaCurl.cc(log_redirects_curl):135 redirecting to Location: http://ftp-srv2.kddilabs.jp/Linux/packages/opensuse/tumbleweed/repo/oss/suse... 2017-09-11 20:28:48 <2> brilliant-laptop(25623) [FileChecker] FileChecker.cc(operator()):64 File /var/cache/zypp/packages/repo-oss/suse/noarch/qemu-sgabios-8-1.1.noarch.rpm has wrong checksum sha1-1f96e12b066af531cec4d104fa4522966fb8af4f (expected sha1-18f04703e82b012340400398f0b7404b07b77769)
I think my ISP might have a transparent proxy server to save their bandwidth, and the file on that proxy server might be broken. I have been even once offered a corrupted installer ISO! (which installed without any error in a test VM.)
I am not sure if I am suffering from a deliberate MITM attack. So I spent some time investigating the security model of openSUSE package delivering.
## Investigation
I set up Wireshark and some other tools to capture the network data. Here are my findings. (If anything below is wrong, please tell me.)
- All official repos (repo-debug, repo-non-oss, repo-oss, repo-source, repo-update) are HTTP, but their GPG keys are preloaded in the installer ISO. If the user checksums their installation media, this will be safe enough.
This is correct.
- If the user choose to One-Click-Install an "unstable package" on software.opensuse.org, the ymp script is served in HTTPS, but OBS repository URLs are HTTP by default. - OneClickInstallUI fetches repomod.xml.key in plain HTTP, and asks the user whether to "Import Untrusted GPG Key". - It is not easy to check whether the GPG key is correct by hand & eye. At least it is not one-click-available, since the "GPG Key / SSL Certificate" button is only visible on the page of your own OBS project.
This is also correct.
- It is lucky that repomod.xml.key is not distributed to 3rd-party mirrors by MirrorBrain. Although mirrors can do no evil to the key, it might still be vulnerable to an MITM attack.
This is intentional delivered only by download.opensuse.org, the repomd* files are delivered only by that host.
Conclution, official repos are safe, but OBS repos are something we might be careful.
Although openSUSE is not responsible for the quality of the software in user repos, it had better to lengthen the shortest stave on the security barrel for the user.
## Suggestions
It might be difficult to modify the current architecture. I want to suggest some ways to make it better. I am not sure if they works, let's just discuss them.
1. Embedding the GPG key in ymp script. This might require modification to OneClickInstallUI, and it is safe once ymp is served with HTTPS. Any 3rd-party repo may benefit from the feature by embedding their keys.
2. Showing GPG key in a place where the user can never miss it. Also educate the user to check it. This include not hiding the "GPG Key / SSL Certificate" button to repo not owned by oneself. In addition, put it on both build.opensuse.org and software.opensuse.org.
3. Alternatively, serving the repo metadata in HTTPS, but packages in HTTP. This requires least modification to the client. Since repomod.xml.key is already bypassing MirrorBrain, simply modify the repo's URL to HTTPS will make it safe. As side-effects, it will increase the load to download.opensuse.org server, and will increase the time required to do a "zypper refresh".
Anyway, if I made any mistake in this mail, please tell me. I hope openSUSE could be more secure and easier to use.
We have a while ago enabled https support on download.opensuse.org and the next step is what you suggest in "Step 3" for us, namely changing software.opensuse.org to deliver https instead of http URLs. (I had opened https://github.com/openSUSE/software-o-o/issues/123 a while ago and sent a pull request after receiving your e-mail.) The GPG chain of trust model is tricky for package management and we have been reviewing improvements on that on or off, there likely is work to do. Ciao, Marcus for SUSE Security -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On 2017-09-13 23:26, Marcus Meissner wrote:
Hi,
Thank you for your long and detailed E-Mail!
I'm really sorry for having written too much. Here's a short summary for other readers who don't want to read the previous mail: The GPG keys for OBS are delivered in plain HTTP and require manual check, which could be improved.
We have a while ago enabled https support on download.opensuse.org and the next step is what you suggest in "Step 3" for us, namely changing software.opensuse.org to deliver https instead of http URLs.
(I had opened https://github.com/openSUSE/software-o-o/issues/123 a while ago and sent a pull request after receiving your e-mail.)
The GPG chain of trust model is tricky for package management and we have been reviewing improvements on that on or off, there likely is work to do.
Thank you for your efforts on making openSUSE better! By the way, have you considered those 2 other suggestions? (embedding GPG into ymp file, displaying GPG key in OBS project page) Embedding the key also opens an opportunity for 3rd-party commercial software repo, so they don't need a separate "rpm --import". -- Best regards, StarBrilliant -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hi, On Thu, Sep 14, 2017 at 12:12:34AM +0800, star@aosc.io wrote:
On 2017-09-13 23:26, Marcus Meissner wrote:
Hi,
Thank you for your long and detailed E-Mail!
I'm really sorry for having written too much.
No problem, that was fine :)
Here's a short summary for other readers who don't want to read the previous mail: The GPG keys for OBS are delivered in plain HTTP and require manual check, which could be improved.
We have a while ago enabled https support on download.opensuse.org and the next step is what you suggest in "Step 3" for us, namely changing software.opensuse.org to deliver https instead of http URLs.
(I had opened https://github.com/openSUSE/software-o-o/issues/123 a while ago and sent a pull request after receiving your e-mail.)
The GPG chain of trust model is tricky for package management and we have been reviewing improvements on that on or off, there likely is work to do.
Thank you for your efforts on making openSUSE better!
By the way, have you considered those 2 other suggestions? (embedding GPG into ymp file, displaying GPG key in OBS project page) Embedding the key also opens an opportunity for 3rd-party commercial software repo, so they don't need a separate "rpm --import".
So far we did not consider embedding GPG keys into the YMP themselves, this is a nice idea. The OBS project page does only show it occasionaly as you wrote, so this could be improved more. This is a bigger topic where we need to do more reviews and research and also design how to best integrate it into the package management tools. :/ Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (2)
-
Marcus Meissner -
star@aosc.io