A Professor needing information about repositories.
Have a good day, dear community. I am an Uruguayan teacher and technician who has been using several distros for years ( and counting :D ) and wants to learn some particular things about Linux repositories. Just for the pleasure of saying it, my system of daily use has been (and is, and will be) openSUSE for 14 years :D :D :D I have been talking with one of the repo maintainers and with some users of the Mageia community with the intention of being able to finish writing a manual of disclosure level on repositories that tries to be an important reference for students, and that in turn will remain for the community. What I am interested to know fits better in the following questions, so, I have taken the liberty of write this questions, hoping that some mates could answer little by little the ones that they want. Here I go, and thanks beforehand! I) Are http repos more insecure than the https ones? II) Where is there a list of "https" repos of every http repo in the case of openSUSE? III) In which cases is NOT advisable to add all (and only) https repos for openSUSE? IV) Can a replica or clone of an official repository server represent a threat? V) What modifications does opensuse introduce in its Linux kernel to adapt it to the system? VI) In which cases is it advisable to add the kernel.org repo to use the intact Linux kernel? I apologize if this is not the list for this type of topic. In that case, I can delete the thread and post it in another list. Big hug!
W dniu 22.12.2021 o 01:36, Hugo Napoli pisze:
I) Are http repos more insecure than the https ones? II) Where is there a list of "https" repos of every http repo in the case of openSUSE? III) In which cases is NOT advisable to add all (and only) https repos for openSUSE?
Interesting questions. I'll answer just those I have some knowledge about.
I) Are http repos more insecure than the https ones?
In general: no. All packages are digitally signed. If someone performed a man-in-the-middle attack trying to give a malicious package, the signature would be broken. The only difference would be that an attacker could know exactly which packages you have installed. With https they would only know that you're downloading "something" from openSUSE repositories.
II) Where is there a list of "https" repos of every http repo in the case of openSUSE? III) In which cases is NOT advisable to add all (and only) https repos for openSUSE?
I don't think I understand those, but I'll try. II) If a repo URL starts with "download.opensuse.org" then it's available through both http and https. What's also interesting, is that download.opensuse.org runs software called mirrorbrain, which redirects to other mirrors. You can have a look at example: - http://download.opensuse.org/distribution/leap/15.4/iso/openSUSE-Leap-15.4-D... - https://download.opensuse.org/distribution/leap/15.4/iso/openSUSE-Leap-15.4-... III) There is a scenario, where you might need to use http: If you have multiple machines in your organization and you want to reduce internet traffic when they all download the same packages, you can use apt-cacher-ng (yes it works with rpms too) or squid cache. But to make it work clients must use http.
Adam Mizerski wrote:
II) Where is there a list of "https" repos of every http repo in the case of openSUSE? III) In which cases is NOT advisable to add all (and only) https repos for openSUSE?
I don't think I understand those, but I'll try.
II) If a repo URL starts with "download.opensuse.org" then it's available through both http and https. What's also interesting, is that download.opensuse.org runs software called mirrorbrain, which redirects to other mirrors. You can have a look at example:
mirrorbrain does not support https, so https://download.opensuse.org is redirected to 'mirrorcache' which does support https.
III) There is a scenario, where you might need to use http: If you have multiple machines in your organization and you want to reduce internet traffic when they all download the same packages, you can use apt-cacher-ng (yes it works with rpms too) or squid cache. But to make it work clients must use http.
Plus not all mirrors support https. -- Per Jessen, Zürich (0.1°C)
On 22.12.2021 13:30, Per Jessen wrote:
mirrorbrain does not support https, so https://download.opensuse.org is redirected to 'mirrorcache' which does support https.
Is current list of HTTPS mirrors available somewhere? I am only aware of standard mirrorbrain list (https://mirrors.opensuse.org/)
Andrei Borzenkov wrote:
On 22.12.2021 13:30, Per Jessen wrote:
mirrorbrain does not support https, so https://download.opensuse.org is redirected to 'mirrorcache' which does support https.
Is current list of HTTPS mirrors available somewhere? I am only aware of standard mirrorbrain list (https://mirrors.opensuse.org/)
Me too, I don't know, but I guess mirrorcache will have a list. The easiest is probably to look at a mirrorlist: https://mirrorcache.opensuse.org/distribution/leap/15.3/repo/oss/ARCHIVES.gz... I had expected that list to only have https mirrors, but it also lists http. -- Per Jessen, Zürich (1.8°C)
On Wed, 22 Dec 2021 13:38:10 +0100 Per Jessen <per@computer.org> wrote:
Andrei Borzenkov wrote:
On 22.12.2021 13:30, Per Jessen wrote:
mirrorbrain does not support https, so https://download.opensuse.org is redirected to 'mirrorcache' which does support https.
Is current list of HTTPS mirrors available somewhere? I am only aware of standard mirrorbrain list (https://mirrors.opensuse.org/)
Me too, I don't know, but I guess mirrorcache will have a list. The easiest is probably to look at a mirrorlist:
https://mirrorcache.opensuse.org/distribution/leap/15.3/repo/oss/ARCHIVES.gz...
Interesting. Why/how does the URL you've posted adjust itself to apparently knowing that I live in the UK, but for some reason thinks I live in the middle of a park in Chertsey? (FWIW opensuse.org is not permitted to run javascript by default)
I had expected that list to only have https mirrors, but it also lists http.
It claims there are only http mirrors in the UK, so perhaps similar situations are the reason.
Dave Howorth wrote:
On Wed, 22 Dec 2021 13:38:10 +0100 Per Jessen <per@computer.org> wrote:
Andrei Borzenkov wrote:
On 22.12.2021 13:30, Per Jessen wrote:
mirrorbrain does not support https, so https://download.opensuse.org is redirected to 'mirrorcache' which does support https.
Is current list of HTTPS mirrors available somewhere? I am only aware of standard mirrorbrain list (https://mirrors.opensuse.org/)
Me too, I don't know, but I guess mirrorcache will have a list. The easiest is probably to look at a mirrorlist:
https://mirrorcache.opensuse.org/distribution/leap/15.3/repo/oss/ARCHIVES.gz...
Interesting. Why/how does the URL you've posted adjust itself to apparently knowing that I live in the UK, but for some reason thinks I live in the middle of a park in Chertsey?
Mapping an IP address or range to a country code is easy, but where the coordinates (lang,long) are from, I don't know. Maybe from maxmind. The coordinates I see for my own address are also off by a good few kilometers.
I had expected that list to only have https mirrors, but it also lists http.
It claims there are only http mirrors in the UK, so perhaps similar situations are the reason.
We have five UK mirrors, of which only two support https (but they don't have Leap 15.3). -- Per Jessen, Zürich (-0.1°C)
On 12/22/21 2:26 PM, Dave Howorth wrote:
Interesting. Why/how does the URL you've posted adjust itself to apparently knowing that I live in the UK, but for some reason thinks I live in the middle of a park in Chertsey? (FWIW opensuse.org is not permitted to run javascript by default)
https://www.maxmind.com/en/geoip2-services-and-databases Javascript doesn't give you location information just because you have it enabled. The service requires some sort of location information like a GPS on your device. And then it would ask you for permission to use this location information. - Adam
On Wed, 22 Dec 2021 16:11:47 +0100 Adam Majer <amajer@suse.de> wrote:
On 12/22/21 2:26 PM, Dave Howorth wrote:
Interesting. Why/how does the URL you've posted adjust itself to apparently knowing that I live in the UK, but for some reason thinks I live in the middle of a park in Chertsey? (FWIW opensuse.org is not permitted to run javascript by default)
https://www.maxmind.com/en/geoip2-services-and-databases
Javascript doesn't give you location information just because you have it enabled. The service requires some sort of location information like a GPS on your device. And then it would ask you for permission to use this location information.
- Adam
Thanks (and thanks to Per too :) I just mentioned JS in case it was relevant. Yes, my device has no capability to know where it is and usually when something attempts to locate me it suggests I'm in my ISP's location in a datacentre in London. It was just the weirdness of suggesting the middle of a park in a random town that I thought intriguing :)
Hi, Andrei!
Is current list of HTTPS mirrors available somewhere? I am only aware of standard mirrorbrain list (https://mirrors.opensuse.org/)
Exactly. That's what I was asking, too. I saw this for Fedora and Ubuntu, just to say 2 examples. Maybe I've seen it for Debian, I think.
Hi, Per, and thanks you for your precise clarifications.
mirrorbrain does not support https, so https://download.opensuse.org is redirected to 'mirrorcache' which does support https.
What's the difference between mirrorbrain and mirrorcache? I know what they are, and now I also know that they are different things, but I cannot find fundamental differences between them (in fact, before reading you, I thought they were the same, and thanks to you I was reading about this topic).
Hugo Napoli wrote:
Hi, Per, and thanks you for your precise clarifications.
mirrorbrain does not support https, so https://download.opensuse.org is redirected to 'mirrorcache' which does support https.
What's the difference between mirrorbrain and mirrorcache? I know what they are, and now I also know that they are different things, but I cannot find fundamental differences between them (in fact, before reading you, I thought they were the same, and thanks to you I was reading about this topic).
Hi Hugo mirrorbrain is our current load-distributor, directing download requests to a mirror site that is best suited for your location. Granted, 'best' is sometimes debatable. mirrorcache is a new development intended to make up for some of mirrorbrain's deficiencies. Specifically that mirrorbrain does not support ipv6 and https. Maybe Andrii, the main developer, can add more info. -- Per Jessen, Zürich (5.9°C) Member, openSUSE Heroes
mirrorbrain is our current load-distributor, directing download requests to a mirror site that is best suited for your location. Granted, 'best' is sometimes debatable. mirrorcache is a new development intended to make up for some of mirrorbrain's deficiencies. Specifically that mirrorbrain does not support ipv6 and https. Maybe Andrii, the main developer, can add more info.
It's an excellent explanation. Thanks you again :D if Andrii joins the conversation, it will be even better!
On 12/22/21 1:04 AM, Adam Mizerski wrote:
W dniu 22.12.2021 o 01:36, Hugo Napoli pisze:
I) Are http repos more insecure than the https ones? II) Where is there a list of "https" repos of every http repo in the case of openSUSE? III) In which cases is NOT advisable to add all (and only) https repos for openSUSE?
Interesting questions. I'll answer just those I have some knowledge about.
I) Are http repos more insecure than the https ones?
In general: no. All packages are digitally signed. If someone performed a man-in-the-middle attack trying to give a malicious package, the signature would be broken. The only difference would be that an attacker could know exactly which packages you have installed. With https they would only know that you're downloading "something" from openSUSE repositories.
II) Where is there a list of "https" repos of every http repo in the case of openSUSE? III) In which cases is NOT advisable to add all (and only) https repos for openSUSE?
I don't think I understand those, but I'll try.
II) If a repo URL starts with "download.opensuse.org" then it's available through both http and https. What's also interesting, is that download.opensuse.org runs software called mirrorbrain, which redirects to other mirrors. You can have a look at example: - http://download.opensuse.org/distribution/leap/15.4/iso/openSUSE-Leap-15.4-D... - https://download.opensuse.org/distribution/leap/15.4/iso/openSUSE-Leap-15.4-...
III) There is a scenario, where you might need to use http: If you have multiple machines in your organization and you want to reduce internet traffic when they all download the same packages, you can use apt-cacher-ng (yes it works with rpms too) or squid cache. But to make it work clients must use http.
I've encountered a use-case for https when an organization employs a deep-packet inspection Intrusion Prevention System (IPS). An IPS false-positive on a repository download could block the stream and silently block updates. This actually happened to me a few years ago when all the repositories were only http. Of course the converse is also true, where real malware could slip through with https. Name your poison? Regards, Lew
I've encountered a use-case for https when an organization employs a deep-packet inspection Intrusion Prevention System (IPS). An IPS false-positive on a repository download could block the stream and silently block updates. This actually happened to me a few years ago when all the repositories were only http. Of course the converse is also true, where real malware could slip through with https. Name your poison?
I agree. I suppose that of the most well-known methods, in Linux the "signature-based detection" for each package clearly predominates. Do you think the same?
On 12/23/21 09:55, Hugo Napoli wrote:
I've encountered a use-case for https when an organization employs a deep-packet inspection Intrusion Prevention System (IPS). An IPS false-positive on a repository download could block the stream and silently block updates. This actually happened to me a few years ago when all the repositories were only http. Of course the converse is also true, where real malware could slip through with https. Name your poison? I agree. I suppose that of the most well-known methods, in Linux the "signature-based detection" for each package clearly predominates. Do you think the same?
Yes, certainly. My concern was if the official software supply-chain is hacked or contains a zero-day threat, the officially signed repos would contain the vulnerability. An up-to-date IPS might flag these if the traffic were http. A zero-day threat example would be the recent log4j vulnerability. There have been examples of supply-chain hacks, but I don't recall openSUSE ever being affected. Still, I've had to explain to the information assurance folks why pulling repository data from a mirror in Bangladesh is perfectly safe if the files are cryptographically signed and checked. Why I was directed to a mirror in Bangladesh from California is fodder for another discussion. Regards, Lew
I just saw what you say, directly reading from the source itself. There were several vulnerabilities: https://logging.apache.org/log4j/2.x/security.html How interesting is what you say, Lew. If I understand correctly, "an up-to-date IPS might flag these if the traffic were http", does it mean that an http connection it would be more desirable than an https one?
On 12/23/21 12:54, Hugo Napoli wrote:
I just saw what you say, directly reading from the source itself. There were several vulnerabilities: https://logging.apache.org/log4j/2.x/security.html
How interesting is what you say, Lew.
If I understand correctly, "an up-to-date IPS might flag these if the traffic were http", does it mean that an http connection it would be more desirable than an https one?
Yes, in the case of a large organization which uses an IPS device, http would be preferable. An IPS does deep packet inspection of all traffic sent through it, looking for security threats. If it finds one it can block the traffic for that particular session before it gets to the end user. But in the case I experienced, the IPS came up with a false-positive and blocked my traffic without warning while doing a zypper update. But note that an IPS device isn't something a regular user would employ, they are quite costly. As Per mentioned, there's no real reason to go https since file integrity is already crytograpically ensured. Regards, Lew
Fully understood, Lew. You helped me to understand much better some aspects that I didn't had so clear. Soon I'll publish here a link to a document (public, that doesn't need account access) in Google Drive with all our answers, and more answered questions with some Mageia's mates, so all of we can read it, criticize it and appropiate it :D
Hi, Adam! Thanks you very much for your responses. I'm starting to take note of all what mates are writing.
III) In which cases is NOT advisable to add all (and only) https repos for openSUSE?
Here, I wanted to mean the following. In openSUSE, by default, the URLs of the repositories that are added during installation, begin with "http". The same thing happens after it, when you go to add Packman, for example. For some time now, what I've been doing is editing the URLs manually, changing them all to "https", and they work remarkably well. The only "but" that I found, was that the refresh of the repositories is almost 3 times slower (15 seconds through http and 40 seconds through https), but knowing that SSH adds security to http, I honestly do not care. The question came from the side of whether to some extent you (or a colleague) would indicate that it is better not to do this and leave http by default.
Hugo Napoli wrote:
In openSUSE, by default, the URLs of the repositories that are added during installation, begin with "http". The same thing happens after it, when you go to add Packman, for example. For some time now, what I've been doing is editing the URLs manually, changing them all to "https", and they work remarkably well. The only "but" that I found, was that the refresh of the repositories is almost 3 times slower (15 seconds through http and 40 seconds through https), but knowing that SSH adds security to http, I honestly do not care. The question came from the side of whether to some extent you (or a colleague) would indicate that it is better not to do this and leave http by default.
My personal opinion - because there is little or nothing gained by going to https, why bother. Also, for the time being, our support for https mirrors remains somewhat experimental, but I hope we'll get to a point where https is as well supported as http. -- Per Jessen, Zürich (5.2°C) Member, openSUSE Heroes.
I understand your point of view about https in repository urls. And about openSUSE and the http-secure support, I think that it will be achieved :)
On 22/12/2021 01.36, Hugo Napoli wrote:
IV) Can a replica or clone of an official repository server represent a threat?
AFAIK no, because packages are signed using GPG. If the clone rogue server changes a package, the signature would fail - The rogue server could repackage using a different signature and accordingly update all the rogue repo metadata, but that different signature would make package installation at the clients to fail, unless those clients validate that rogue signature. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
¡Hola, Carlos! :D
AFAIK no, because packages are signed using GPG. If the clone rogue server changes a package, the signature would fail - The rogue server could repackage using a different signature and accordingly update all the rogue repo metadata, but that different signature would make package installation at the clients to fail, unless those clients validate that rogue signature.
I agree. That's why it's important to use the appropriate keys and certificates when installing outside packages.
participants (8)
-
Adam Majer -
Adam Mizerski -
Andrei Borzenkov -
Carlos E. R. -
Dave Howorth -
Hugo Napoli -
Lew Wolfgang -
Per Jessen