Mailinglist Archive: opensuse-buildservice (124 mails)

< Previous Next >
Re: [opensuse-buildservice] Downloading (signing keys at least) from OBS via HTTPS?
  • From: Per Jessen <per@xxxxxxxxxxxx>
  • Date: Fri, 12 Aug 2016 09:46:22 +0200
  • Message-id: <nojusf$g0l$1@saturn.local.net>
Archie Cobbs wrote:

On Thu, Aug 11, 2016 at 11:49 AM, Per Jessen <per@xxxxxxxxxxxx> wrote:
On Thu, Aug 11, 2016 at 10:02 AM, Andreas Stieger
<astieger@xxxxxxxx> wrote:
HTTPS (signed by *any* CA) is a downgrade in security compared to
signed metadata and packages.

True.. but just to be clear, we're talking about a specific (but
common) scenario, which is when a user downloads the signing key via
zypper ref, automatically answering "Trust Always?" with yes.

In this scenario what we have today is delivery of that key via
HTTP. I'm suggesting we change this to HTTPS, which is much more
secure.

That key isn't confidential (or is it?), so what might be gained by
enabling https ?

Delivery of the key is vulnerable to a man-in-the-middle attack when
using only HTTP.

Any once you've installed my bogus signing key, I can sign any bogus
package I want with it and you would trust it.

Okay. Well, technically I see there nothing preventing us from enabling
https, we could use Let's Encrypt certificates for instance. Forcing
https for anything that isn't mirrored should also be possible.

I don't have the access to look into it, so maybe write to
admin@xxxxxxxxxxxx and propose it.


--
Per Jessen, Zürich (15.1°C)
http://www.dns24.ch/ - your free DNS host, made in Switzerland.

--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >