Hi Folks, I'm sure this isn't the right list for this question, but it will have to do. In downloading the Leap 15.5 ISO I noticed that the TLS cert is issued by Let's Encrypt. This is rather concerning considering all the current supply-chain security issues. Does Let's Encrypt still use a one-step domain verification process? If so, how can it really be trusted for something as important as an operating system? How can we be sure we're not downloading malware without strong domain verification of the source? Regards, Lew
Hello Lew, Allow me to give you two answers: Lazy (executive?) answer: if you want guarantees go with a commercial distro like SLES. Not so lazy one: are you concerned about authoritative DNS highjacking just in time for the renewal? Regards, CI. El dom., 25 de junio de 2023 16:18, Lew Wolfgang <wolfgang@sweet-haven.com> escribió:
Hi Folks,
I'm sure this isn't the right list for this question, but it will have to do.
In downloading the Leap 15.5 ISO I noticed that the TLS cert is issued by Let's Encrypt. This is rather concerning considering all the current supply-chain security issues.
Does Let's Encrypt still use a one-step domain verification process? If so, how can it really be trusted for something as important as an operating system? How can we be sure we're not downloading malware without strong domain verification of the source?
Regards, Lew
On 6/25/23 14:51, Cyrus wrote:
Hello Lew,
Allow me to give you two answers:
Lazy (executive?) answer: if you want guarantees go with a commercial distro like SLES.
Yes, certainly true. But is an EV cert too much to ask to certify an important operating system?
Not so lazy one: are you concerned about authoritative DNS highjacking just in time for the renewal?
It could happen. That whois shows nothing but "privacy" data doesn't help one's confidence either. I'm not saying anything is wrong, it just seems a little odd. Regards, Lew
Hi, all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare. Many use plain HTTP to download openSUSE packages and images as the binary authenticity is not related to the security of the transport channel. You can find some instructions on validating downloaded openSUSE ISO images here: https://en.opensuse.org/SDB:Download_help#Checksums Apart from this, Let's Encrypt is as valid of a certificate authority as any other doing purely domain validation. Whether paid ones doing organization validation are more trustworthy is a debatable topic. Cheers, Georg On 6/25/23 22:17, Lew Wolfgang wrote:
Hi Folks,
I'm sure this isn't the right list for this question, but it will have to do.
In downloading the Leap 15.5 ISO I noticed that the TLS cert is issued by Let's Encrypt. This is rather concerning considering all the current supply-chain security issues.
Does Let's Encrypt still use a one-step domain verification process? If so, how can it really be trusted for something as important as an operating system? How can we be sure we're not downloading malware without strong domain verification of the source?
Regards, Lew
On 6/25/23 14:55, Georg Pfuetzenreuter via openSUSE Factory wrote:
Hi,
all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare.
Yes, sha256 hashes are good. But where do you get the hash from? The same site that offers the ISO? What could possibly go wrong?
Many use plain HTTP to download openSUSE packages and images as the binary authenticity is not related to the security of the transport channel.
I agree, but that's not the issue.
You can find some instructions on validating downloaded openSUSE ISO images here: https://en.opensuse.org/SDB:Download_help#Checksums
Yup, but where do you get the One True Hash?
Apart from this, Let's Encrypt is as valid of a certificate authority as any other doing purely domain validation. Whether paid ones doing organization validation are more trustworthy is a debatable topic.
The issue is of validation of control of the domain. A hacker could take over opensuse.org, then take out a Let's Encrypt cert and distribute malware over the secure channel. Regards, Lew
If hacker took opensuse.org how another cert issuer could help here? On 2023-06-25 20:19, Lew Wolfgang wrote:
On 6/25/23 14:55, Georg Pfuetzenreuter via openSUSE Factory wrote:
Hi,
all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare.
Yes, sha256 hashes are good. But where do you get the hash from? The same site that offers the ISO? What could possibly go wrong?
Many use plain HTTP to download openSUSE packages and images as the binary authenticity is not related to the security of the transport channel.
I agree, but that's not the issue.
You can find some instructions on validating downloaded openSUSE ISO images here: https://en.opensuse.org/SDB:Download_help#Checksums
Yup, but where do you get the One True Hash?
Apart from this, Let's Encrypt is as valid of a certificate authority as any other doing purely domain validation. Whether paid ones doing organization validation are more trustworthy is a debatable topic.
The issue is of validation of control of the domain. A hacker could take over opensuse.org, then take out a Let's Encrypt cert and distribute malware over the secure channel.
Regards, Lew
Lew Wolfgang <wolfgang@sweet-haven.com> writes:
On 6/25/23 14:55, Georg Pfuetzenreuter via openSUSE Factory wrote:
Hi,
all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare.
Yes, sha256 hashes are good. But where do you get the hash from? The same site that offers the ISO? What could possibly go wrong?
An attacker can certainly forge the hashes, but they cannot forge the GPG signatures unless they have access to the private key (and then all hope is lost anyway).
Many use plain HTTP to download openSUSE packages and images as the binary authenticity is not related to the security of the transport channel.
I agree, but that's not the issue.
You can find some instructions on validating downloaded openSUSE ISO images here: https://en.opensuse.org/SDB:Download_help#Checksums
Yup, but where do you get the One True Hash?
Apart from this, Let's Encrypt is as valid of a certificate authority as any other doing purely domain validation. Whether paid ones doing organization validation are more trustworthy is a debatable topic.
The issue is of validation of control of the domain. A hacker could take over opensuse.org, then take out a Let's Encrypt cert and distribute malware over the secure channel.
A different certificate authority will not protect you from this scenario either. If an attacker gains access to your server and extracts your private keys, then you've lost, irrespective who issues the cert. Actually, with Let's Encrypt, you'll be certain that the damage will be done only for at most 3 months. With your usual suspects, your certificate might be valid for as long as 2 years. I am not sure if certificate revocation improved over the past years, but last time I looked at that topic, it was still something you couldn't really rely on… Cheers, Dan -- Dan Čermák <dcermak@suse.com> Software Engineer Development tools SUSE Software Solutions Germany GmbH Frankenstrasse 146 90461 Nürnberg Germany (HRB 36809, AG Nürnberg) Managing Director/Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
Good morning, On 26.06.23 at 05:19 Lew Wolfgang wrote:
On 6/25/23 14:55, Georg Pfuetzenreuter via openSUSE Factory wrote:
Hi,
all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare.
Yes, sha256 hashes are good. But where do you get the hash from? The same site that offers the ISO? What could possibly go wrong?
Georg already wrote that the checksum is signed. Hence you can check if the checksum you downloaded is legit. Of course for that you need to trust the openSUSE GPG key. Kind Regards, Johannes -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
On 6/25/23 22:09, Johannes Kastl wrote:
Good morning,
On 26.06.23 at 05:19 Lew Wolfgang wrote:
On 6/25/23 14:55, Georg Pfuetzenreuter via openSUSE Factory wrote:
Hi,
all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare.
Yes, sha256 hashes are good. But where do you get the hash from? The same site that offers the ISO? What could possibly go wrong?
Georg already wrote that the checksum is signed. Hence you can check if the checksum you downloaded is legit. Of course for that you need to trust the openSUSE GPG key.
Ah, good point. Maybe only the unwary are threatened? Still, domain-validated certs do present a security threat, however small. In a manner of speaking they're like self-signed certs, except their CA's are recognized by browsers. But I don't think that browsers report a cert as being EV anymore, so the whole thing may be moot anyway. Regards, Lew
Lew Wolfgang <wolfgang@sweet-haven.com> writes:
On 6/25/23 22:09, Johannes Kastl wrote:
Good morning,
On 26.06.23 at 05:19 Lew Wolfgang wrote:
On 6/25/23 14:55, Georg Pfuetzenreuter via openSUSE Factory wrote:
Hi,
all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare.
Yes, sha256 hashes are good. But where do you get the hash from? The same site that offers the ISO? What could possibly go wrong?
Georg already wrote that the checksum is signed. Hence you can check if the checksum you downloaded is legit. Of course for that you need to trust the openSUSE GPG key.
Ah, good point. Maybe only the unwary are threatened?
Still, domain-validated certs do present a security threat, however small. In a manner of speaking they're like self-signed certs, except their CA's are recognized by browsers. But I don't think that browsers report a cert as being EV anymore, so the whole thing may be moot anyway.
EV certificates are the same thing as domain validated certficates. The only difference is that the certificate authority *claims* that they have verified that the owner of the domain is a legitimate business. But since such a verification is not standardized in any fashion, it's actual quality and usefulness varies wildly. Cheers, Dan -- Dan Čermák <dcermak@suse.com> Software Engineer Development tools SUSE Software Solutions Germany GmbH Frankenstrasse 146 90461 Nürnberg Germany (HRB 36809, AG Nürnberg) Managing Director/Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
On Sun, 25 Jun 2023 22:43:17 -0700, Lew Wolfgang wrote:
Still, domain-validated certs do present a security threat, however small.
The only security threat present is if the API key used to access the DNS records is not secured properly. If it's not, you've got potentially bigger problems, such as having your private keys exposed. -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On 2023-06-26 07:09, Johannes Kastl wrote:
Good morning,
On 26.06.23 at 05:19 Lew Wolfgang wrote:
On 6/25/23 14:55, Georg Pfuetzenreuter via openSUSE Factory wrote:
Hi,
all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare.
Yes, sha256 hashes are good. But where do you get the hash from? The same site that offers the ISO? What could possibly go wrong?
Georg already wrote that the checksum is signed. Hence you can check if the checksum you downloaded is legit. Of course for that you need to trust the openSUSE GPG key.
The GPG keys are to be verified against the list here: https://en.opensuse.org/openSUSE:Signing_Keys for which you need to certify that you are actually on that page and not another. Maybe we could get other pages, for example a suse.com page, to include this information so that there are several copies around. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
W dniu 26.06.2023 o 10:43, Carlos E. R. pisze:
On 2023-06-26 07:09, Johannes Kastl wrote:
Good morning,
On 26.06.23 at 05:19 Lew Wolfgang wrote:
On 6/25/23 14:55, Georg Pfuetzenreuter via openSUSE Factory wrote:
Hi,
all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare.
Yes, sha256 hashes are good. But where do you get the hash from? The same site that offers the ISO? What could possibly go wrong?
Georg already wrote that the checksum is signed. Hence you can check if the checksum you downloaded is legit. Of course for that you need to trust the openSUSE GPG key.
The GPG keys are to be verified against the list here:
https://en.opensuse.org/openSUSE:Signing_Keys
for which you need to certify that you are actually on that page and not another.
Maybe we could get other pages, for example a suse.com page, to include this information so that there are several copies around.
We can link more resources to prove the pgp key with keyoxide: https://docs.keyoxide.org/understanding-keyoxide/keyoxide/
On Sun, 25 Jun 2023 20:19:52 -0700, Lew Wolfgang wrote:
The issue is of validation of control of the domain. A hacker could take over opensuse.org, then take out a Let's Encrypt cert and distribute malware over the secure channel.
They wouldn't need to take out a new LE cert to distribute malware over the secure channel; they would already *have* a certificate, regardless of where the certificate comes from. -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On 26.06.2023 21:51, Jim Henderson wrote:
On Sun, 25 Jun 2023 20:19:52 -0700, Lew Wolfgang wrote:
The issue is of validation of control of the domain. A hacker could take over opensuse.org, then take out a Let's Encrypt cert and distribute malware over the secure channel.
They wouldn't need to take out a new LE cert to distribute malware over the secure channel; they would already *have* a certificate, regardless of where the certificate comes from.
"Take over opensuse.org" is ambiguous. It may mean "systems servicing opensuse.org are compromised"; but it may also mean "domain name opensuse.org is redirected to another server(s)". In the latter case servers that receive requests for opensuse.org would need valid certificate for this domain trusted by client. And in this case such hijacked domain would actually pass LE checks (at least, checks that are described in there documentation).
On Mon, 26 Jun 2023 22:01:06 +0300, Andrei Borzenkov wrote:
"Take over opensuse.org" is ambiguous. It may mean "systems servicing opensuse.org are compromised"; but it may also mean "domain name opensuse.org is redirected to another server(s)". In the latter case servers that receive requests for opensuse.org would need valid certificate for this domain trusted by client. And in this case such hijacked domain would actually pass LE checks (at least, checks that are described in there documentation).
That's fair. But if the domain were to be redirected, there's nothing that would prevent someone from getting a LE certificate anyways, and most people aren't going to verify the certificate is actually the "real" certificate, just that it's valid. Prior to this thread, I had no idea that the openSUSE.org domain used a LE certificate. I think the real question here is what the probability is of the domain being hijacked through either social engineering (I would hope that's low) or DNS poisoning/spoofing. -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
participants (10)
-
Adam Mizerski -
Andrei Borzenkov -
Carlos E. R. -
Cyrus -
Dan Čermák -
Georg Pfuetzenreuter -
Jim Henderson -
Johannes Kastl -
Konstantin Voinov -
Lew Wolfgang