Re: [opensuse-security] don't follow the https'ers off the cliff... ;-)
Jean-Christophe Baptiste wrote:
Are you jocking? Dowloading an operating system not a sensitive operation? Software integrity, useless?
Of course, there are, I need a proof that what I get has not been tampered.
You already have it. You have signatures on the rpms. That's what they are for. Https was intended to provide protection from snooping. If you don't think large corporate ISP's can't purchase root-certs, or more likely "subordinated root certs" (those have already happened and only made public when the corps mis-handled the certs and let them get swiped), you'd be naive. On smaller scales, sites with multiple users/clients are already likely to force internal clients to use a caching & filtering proxy to access the outside web. With that in place, they can install site-local root certs on site-owned clients and require mobile clients (if allowed), to install site-local root-certs in order to have access to the outside web. The large uptick in https usage has forced sites not using MITM proxies to change policies. Fortunately, both downloaded rpms and sites providing sensitive tars provide signatures for both that provide tampering protection. Not only do the sigs provide tamper protection during transit, but they also provide tamper protection for rpms stored locally, months later.
Client side, what browser would be caching a 700MB file anyway? It would serve no purpose.
It does. I've fetched 700+ MB images from opensuse and MS from cache as long as 1-2 months after original download. Seeing large downloads complete at >100MB/s is a noticeable event. Wherever possible, I disable individual client and machine caches because they waste space. Instead, I use one large cache on an opensuse machine. Best speed boosts are on interactive websites, where there is more content duplication. It's not common to find 700MB requests duplicated, but given the long time that distro-images stay constant and the size of proxy cache, its happened a few times. Regardless of the transport protocol, the integrity of the downloaded images is still available by signature verification. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Le 19/12/2016 à 20:22, L A Walsh a écrit :
Jean-Christophe Baptiste wrote:
Are you jocking? Dowloading an operating system not a sensitive operation? Software integrity, useless?
Of course, there are, I need a proof that what I get has not been tampered.
You already have it. You have signatures on the rpms. That's what they are for. Https was intended to provide protection from snooping.
I know that but as you say yourself, they serve two complementary purposes. I want HTTPS to download the media, otherwise the whole signature infrastructure is useless if I get a different operating system.
If you don't think large corporate ISP's can't purchase root-certs, or more likely "subordinated root certs" (those have already happened and only made public when the corps mis-handled the certs and let them get swiped), you'd be naive.
I have worked for ISP and never heard of such a practice. So I may still be naive despite being paranoid by profession. Note that generally the threat model of the people I work for is not the secret services. But it may be a motivated and skillful offender (hacker, if you prefer). So, HTTPS matters.
On smaller scales, sites with multiple users/clients are already likely to force internal clients to use a caching & filtering proxy to access the outside web. With that in place, they can install site-local root certs on site-owned clients and require mobile clients (if allowed), to install site-local root-certs in order to have access to the outside web. The large uptick in https usage has forced sites not using MITM proxies to change policies.
Again I am surprised by your picture of companies. Not many do TLS interception, and when they do, then, what is the threat for a user like me downloading a OS media? The threat is not the company, because otherwise you would be owned in many ways. The threat is a malicious insider, for instance.
Fortunately, both downloaded rpms and sites providing sensitive tars provide signatures for both that provide tampering protection. Not only do the sigs provide tamper protection during transit, but they also provide tamper protection for rpms stored locally, months later.
Again, different and complementary purpose, see above. I would also add: security in depth.
Client side, what browser would be caching a 700MB file anyway? It would serve no purpose.
It does. I've fetched 700+ MB images from opensuse and MS from cache as long as 1-2 months after original download. Seeing large downloads complete at >100MB/s is a noticeable event. Wherever possible, I disable individual client and machine caches because they waste space. Instead, I use one large cache on an opensuse machine. Best speed boosts are on interactive websites, where there is more content duplication.
Generally not, and fortunately as it would not make sense to waste that much space for a single file. You may configure your local network as you want, but it cannot make a case against a security consensus. I will stop here as I do not really want to debate on something that has been admitted by an entire security community for years. It is not people copying Google. It is simply Google following best practices of the security industry.
Jean-Christophe Baptiste wrote:
I know that but as you say yourself, they serve two complementary purposes. I want HTTPS to download the media, otherwise the whole signature infrastructure is useless if I get a different operating system.
If you get a different OS? how's that?
I have worked for ISP and never heard of such a practice. So I may still be naive despite being paranoid by profession.
---- First widely known instance: https://freedom-to-tinker.com/2013/01/03/turktrust-certificate-authority-err... Mozilla acknowledging and stomping feet: http://www.computerworld.com/article/2495053/desktop-apps/mozilla-moves-to-l... It's happened, it's acknowledged, Mozilla threatens actions, but can only ask for administrative controls. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (2)
-
Jean-Christophe Baptiste -
L A Walsh