http://bugzilla.opensuse.org/show_bug.cgi?id=1110245 http://bugzilla.opensuse.org/show_bug.cgi?id=1110245#c1 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P2 - High |P5 - None Status|NEW |RESOLVED Version|Leap 42.3 |Current Keywords|downstream, Install, | |Upgrade | CC| |astieger@suse.com Component|YaST2 |Security Found By|Field Engineer |Community User Assignee|yast2-maintainers@suse.de |security-team@suse.de Resolution|--- |WONTFIX Product|openSUSE Distribution |openSUSE Tumbleweed Target Milestone|Leap 42.3 |Current --- Comment #1 from Andreas Stieger <astieger@suse.com> ---
From the SUSE Security team:
(In reply to Gregory Kochurov from comment #0)
This compromises the security of users.
No it does not. Repository metadata and packages are signed. This is actually a higher security level than TLS's "any CA" approach. For package delivery, integrity is the most important element and well covered. Confidentiality is less important for this type of transfer.
If their connection to the Internet is intercepted, if they work through any proxy server, the attackers can modify the packages on the fly during the download. To install malware and spyware into target system.
Again not true. The user receive a signature verification error, or will have to accept unknown repository signing keys, or disable signature verification altogether.
This will make users' safety a step higher. I'm sure there will be less glitches, bugs in user systems.
As per the above, using https will actually create a false sense of security, and it cannot replace repository metadata and signature verification. Also see bug 1107994 for things that can happen. So all in all, for the openSUSE mirror redirection infrastructure, we cannot switch to HTTPS by default at this time, and consider repository and package signature a better security guarantee due to the implicit pinning to a specific key -- You are receiving this mail because: You are on the CC list for the bug.