[Bug 1110245] New: Connection to online repositories should be HTTPS
http://bugzilla.opensuse.org/show_bug.cgi?id=1110245 Bug ID: 1110245 Summary: Connection to online repositories should be HTTPS Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: All OS: All Status: NEW Severity: Enhancement Priority: P5 - None Component: YaST2 Assignee: yast2-maintainers@suse.de Reporter: digitalmon@rambler.ru QA Contact: jsrain@suse.com Found By: --- Blocker: --- Although the online repository servers support HTTPS connection, downloading of packets still occurs via the HTTP protocol. This compromises the security of users. If their connection to the Internet is intercepted, if they work through any proxy server, the attackers can modify the packages on the fly during the download. To install malware and spyware into target system. At the moment, you can only manually change the URLs of the repositories to https so that the packets are downloaded over a secure channel. I want that by default in the operating system the connection to the online-repositories, the downloading of packets, should be with HTTPS connection. This will make users' safety a step higher. I'm sure there will be less glitches, bugs in user systems. But Https is not a panacea. She is also vulnerable to the attack of MITM. The private surveilance service known to me, generates its own RSA-keys to encrypt the HTTPS, brute-force for them a digital signature so that the browser of user does not suspect forgery. The attacker's computer connects to the remote server by https, downloads packages, replaces executable files, infects them with a virus, and the user gives https traffic with his encryption key and a digital signature. But such an attack is not for everyone. To make it more difficult, you need to use long encryption keys and digital signatures on the repository servers. RSA4096 at least. I know that even LTE-connection to the Internet can be intercepted with using of special technical means and OpenLTE, so I do not trust to LTE. LTE-connection can work without encryption, and 3G connection seems to be always encrypted. A wired connection to the Internet, to intercept - generally easy. As PPPoe, as DHCP (DHCP is without authorization and verification of provider access point). The 3G modem with a good antenna has the same speed as the LTE. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1110245 Gregory Kochurov <digitalmon@rambler.ru> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |downstream, Install, | |Upgrade Priority|P5 - None |P2 - High Found By|--- |Field Engineer Target Milestone|--- |Leap 42.3 QA Contact|jsrain@suse.com | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1110245 http://bugzilla.opensuse.org/show_bug.cgi?id=1110245#c1 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P2 - High |P5 - None Status|NEW |RESOLVED Version|Leap 42.3 |Current Keywords|downstream, Install, | |Upgrade | CC| |astieger@suse.com Component|YaST2 |Security Found By|Field Engineer |Community User Assignee|yast2-maintainers@suse.de |security-team@suse.de Resolution|--- |WONTFIX Product|openSUSE Distribution |openSUSE Tumbleweed Target Milestone|Leap 42.3 |Current --- Comment #1 from Andreas Stieger <astieger@suse.com> ---
From the SUSE Security team:
(In reply to Gregory Kochurov from comment #0)
This compromises the security of users.
No it does not. Repository metadata and packages are signed. This is actually a higher security level than TLS's "any CA" approach. For package delivery, integrity is the most important element and well covered. Confidentiality is less important for this type of transfer.
If their connection to the Internet is intercepted, if they work through any proxy server, the attackers can modify the packages on the fly during the download. To install malware and spyware into target system.
Again not true. The user receive a signature verification error, or will have to accept unknown repository signing keys, or disable signature verification altogether.
This will make users' safety a step higher. I'm sure there will be less glitches, bugs in user systems.
As per the above, using https will actually create a false sense of security, and it cannot replace repository metadata and signature verification. Also see bug 1107994 for things that can happen. So all in all, for the openSUSE mirror redirection infrastructure, we cannot switch to HTTPS by default at this time, and consider repository and package signature a better security guarantee due to the implicit pinning to a specific key -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1110245 http://bugzilla.opensuse.org/show_bug.cgi?id=1110245#c2 Yunhe Guo <i@guoyunhe.me> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |i@guoyunhe.me --- Comment #2 from Yunhe Guo <i@guoyunhe.me> --- Even in 2020, ISPs are still caching HTTP data in a very bad way. If ISPs send you out-dated repo data, you will get errors when running zypper up... This happens quite often in China. I have to answer the same kind of questions every month and ask people to switch to HTTPS. Most users just blame openSUSE for "bad download server" but it is because of the ISP... I agree with Andreas Stieger that HTTPS doesn't bring extra security benefits. But it can definitely prevent ISPs downgrade our user experience... We must certainly keep GPG signatures for security and mirror verification. But we can also enforce HTTPS to avoid unnecessary errors. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1110245 http://bugzilla.opensuse.org/show_bug.cgi?id=1110245#c3 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |arbichev@gmail.com --- Comment #3 from Andreas Stieger <Andreas.Stieger@gmx.de> --- *** Bug 1205431 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com