[opensuse-security] Why no SSL for download.opensuse.org ?
We have learned how much effort governments take to control and monitor the Internet. With this in regard, wouldn´t it make sense to switch download.opensuse.org to SSL? I know, rpm packages are signed with GnuPG, but if you add a new repo an attacker still is able to give you a forged GnuPG key and a forged repo, not the repo you actually tried to subscribe to. Thus, GnuPG signing of rpm does not prohibit man in the middle attacks. I think SSL for download.opensuse.org would give more safety to people living in authoritarian regimes who want to download openSUSE software. Malte
On Sat 06 Jul 2013 10:34:45 Malte Gell wrote:
We have learned how much effort governments take to control and monitor the Internet. With this in regard, wouldn´t it make sense to switch download.opensuse.org to SSL? I know, rpm packages are signed with GnuPG, but if you add a new repo an attacker still is able to give you a forged GnuPG key and a forged repo, not the repo you actually tried to subscribe to. Thus, GnuPG signing of rpm does not prohibit man in the middle attacks. I think SSL for download.opensuse.org would give more safety to people living in authoritarian regimes who want to download openSUSE software.
Malte
The downloads themselves don't need to be SSL. Nobody should really trust a large download without a checksum or some other sort of error checking. Many people use torrents now anyway, and often they're more reliable. But the openSUSE web page with the checksums for the downloads should absolutely be SSL. This should be easy to do. Regards, Eoin -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Content-ID:
We have learned how much effort governments take to control and monitor the Internet. With this in regard, wouldn´t it make sense to switch download.opensuse.org to SSL? I know, rpm packages are signed with GnuPG, but if you add a new repo an attacker still is able to give you a forged GnuPG key and a forged repo, not the repo you actually tried to subscribe to. Thus, GnuPG signing of rpm does not prohibit man in the middle attacks. I think SSL for download.opensuse.org would give more safety to people living in authoritarian regimes who want to download openSUSE software.
Not practical. Most of the downloads do not come from download.opensuse.org, but from mirrors all over the world. The certificate would apply to download.opensuse.org, whereas the actual download might be comming from anywhere (download.opensuse.org is a redirector); meaning they would not match and the connection would be invalidated. To do this you would force all mirrors to provide ssl with the proper certificate (which costs money). Or opensuse.org would have to act as certification authority. What you need instead is convincing openSUSE to apply a good security policy to the GnuPG signatures used. For example, view this thread for more info: http://forums.opensuse.org/showthread.php?t=469581 or vote: https://features.opensuse.org/312047 make repo keys available on project's web site via SSL or more info: https://forums.opensuse.org/english/other-forums/community-fun/general-chit-... https://forums.opensuse.org/english/get-technical-help-here/install-boot-log... - -- Cheers, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlHZzskACgkQtTMYHG2NR9VRNACeOw5ObvpMLhceyeJKndzOKK5K pDgAn1VSuAQxy0d77YKqoxxxcPheLXOv =j7Rm -----END PGP SIGNATURE-----
participants (3)
-
Carlos E. R.
-
eoinkirwan@eircom.net
-
Malte Gell