Andreas Stieger changed bug 1110245
What Removed Added
Priority P2 - High P5 - None
Status NEW RESOLVED
Version Leap 42.3 Current
Keywords downstream, Install, Upgrade  
CC   astieger@suse.com
Component YaST2 Security
Found By Field Engineer Community User
Assignee yast2-maintainers@suse.de security-team@suse.de
Resolution --- WONTFIX
Product openSUSE Distribution openSUSE Tumbleweed
Target Milestone Leap 42.3 Current

Comment # 1 on bug 1110245 from 
From the SUSE Security team:

(In reply to Gregory Kochurov from comment #0)
> This compromises the security of users.

No it does not. Repository metadata and packages are signed. This is actually a
higher security level than TLS's "any CA" approach. For package delivery,
integrity is the most important element and well covered. Confidentiality is
less important for this type of transfer.

> If their connection to the Internet is intercepted, if they work
> through any proxy server, the attackers can modify the packages on the fly
> during the download. To install malware and spyware into target system.

Again not true. The user receive a signature verification error, or will have
to accept unknown repository signing keys, or disable signature verification
altogether.

> This will make users' safety a step higher. I'm sure there will be less
> glitches, bugs in user systems.

As per the above, using https will actually create a false sense of security,
and it cannot replace repository metadata and signature verification. Also see
bug 1107994 for things that can happen.

So all in all, for the openSUSE mirror redirection infrastructure, we cannot
switch to HTTPS by default at this time, and consider repository and package
signature a better security guarantee due to the implicit pinning to a specific
key

You are receiving this mail because: