Lew Wolfgang <wolfgang@sweet-haven.com> writes:
On 6/25/23 14:55, Georg Pfuetzenreuter via openSUSE Factory wrote:
Hi,
all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare.
Yes, sha256 hashes are good. But where do you get the hash from? The same site that offers the ISO? What could possibly go wrong?
An attacker can certainly forge the hashes, but they cannot forge the GPG signatures unless they have access to the private key (and then all hope is lost anyway).
Many use plain HTTP to download openSUSE packages and images as the binary authenticity is not related to the security of the transport channel.
I agree, but that's not the issue.
You can find some instructions on validating downloaded openSUSE ISO images here: https://en.opensuse.org/SDB:Download_help#Checksums
Yup, but where do you get the One True Hash?
Apart from this, Let's Encrypt is as valid of a certificate authority as any other doing purely domain validation. Whether paid ones doing organization validation are more trustworthy is a debatable topic.
The issue is of validation of control of the domain. A hacker could take over opensuse.org, then take out a Let's Encrypt cert and distribute malware over the secure channel.
A different certificate authority will not protect you from this scenario either. If an attacker gains access to your server and extracts your private keys, then you've lost, irrespective who issues the cert. Actually, with Let's Encrypt, you'll be certain that the damage will be done only for at most 3 months. With your usual suspects, your certificate might be valid for as long as 2 years. I am not sure if certificate revocation improved over the past years, but last time I looked at that topic, it was still something you couldn't really rely on… Cheers, Dan -- Dan Čermák <dcermak@suse.com> Software Engineer Development tools SUSE Software Solutions Germany GmbH Frankenstrasse 146 90461 Nürnberg Germany (HRB 36809, AG Nürnberg) Managing Director/Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman