## Prelude Recently I received checksum error during system upgrade, something like this:
2017-09-11 20:28:48 <1> brilliant-laptop(25623) [zypp++] MediaCurl.cc(log_redirects_curl):135 redirecting to Location: http://ftp-srv2.kddilabs.jp/Linux/packages/opensuse/tumbleweed/repo/oss/suse... 2017-09-11 20:28:48 <2> brilliant-laptop(25623) [FileChecker] FileChecker.cc(operator()):64 File /var/cache/zypp/packages/repo-oss/suse/noarch/qemu-sgabios-8-1.1.noarch.rpm has wrong checksum sha1-1f96e12b066af531cec4d104fa4522966fb8af4f (expected sha1-18f04703e82b012340400398f0b7404b07b77769)
I think my ISP might have a transparent proxy server to save their bandwidth, and the file on that proxy server might be broken. I have been even once offered a corrupted installer ISO! (which installed without any error in a test VM.) I am not sure if I am suffering from a deliberate MITM attack. So I spent some time investigating the security model of openSUSE package delivering. ## Investigation I set up Wireshark and some other tools to capture the network data. Here are my findings. (If anything below is wrong, please tell me.) - All official repos (repo-debug, repo-non-oss, repo-oss, repo-source, repo-update) are HTTP, but their GPG keys are preloaded in the installer ISO. If the user checksums their installation media, this will be safe enough. - If the user choose to One-Click-Install an "unstable package" on software.opensuse.org, the ymp script is served in HTTPS, but OBS repository URLs are HTTP by default. - OneClickInstallUI fetches repomod.xml.key in plain HTTP, and asks the user whether to "Import Untrusted GPG Key". - It is not easy to check whether the GPG key is correct by hand & eye. At least it is not one-click-available, since the "GPG Key / SSL Certificate" button is only visible on the page of your own OBS project. - It is lucky that repomod.xml.key is not distributed to 3rd-party mirrors by MirrorBrain. Although mirrors can do no evil to the key, it might still be vulnerable to an MITM attack. Conclution, official repos are safe, but OBS repos are something we might be careful. Although openSUSE is not responsible for the quality of the software in user repos, it had better to lengthen the shortest stave on the security barrel for the user. ## Suggestions It might be difficult to modify the current architecture. I want to suggest some ways to make it better. I am not sure if they works, let's just discuss them. 1. Embedding the GPG key in ymp script. This might require modification to OneClickInstallUI, and it is safe once ymp is served with HTTPS. Any 3rd-party repo may benefit from the feature by embedding their keys. 2. Showing GPG key in a place where the user can never miss it. Also educate the user to check it. This include not hiding the "GPG Key / SSL Certificate" button to repo not owned by oneself. In addition, put it on both build.opensuse.org and software.opensuse.org. 3. Alternatively, serving the repo metadata in HTTPS, but packages in HTTP. This requires least modification to the client. Since repomod.xml.key is already bypassing MirrorBrain, simply modify the repo's URL to HTTPS will make it safe. As side-effects, it will increase the load to download.opensuse.org server, and will increase the time required to do a "zypper refresh". Anyway, if I made any mistake in this mail, please tell me. I hope openSUSE could be more secure and easier to use. -- StarBrilliant -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org