SHA256 and HTTPS for hashes

Write suggestions and new ideas in here
More ideas here http://community.linuxmint.com/idea/welcome
Forum rules
  • Only post ideas here that are specifically about the Linux Mint distribution or its websites.
  • So that developers and users from any distribution can discuss ideas in one place, post ideas about improving software to the collaboration website for that software instead.
Post Reply
User avatar
Sontaran
Level 1
Level 1
Posts: 6
Joined: Wed Oct 14, 2009 8:08 pm

SHA256 and HTTPS for hashes

Post by Sontaran »

Hello. I'd like to suggest upgrading from MD5 to SHA256 (or better), for the hash you post for users to verify their files, now that MD5 has been crackable for some time.
Also, I'd like to suggest implementing https for the pages that show the file verification hashes.

Since Mint is the most popular Linux distribution, and has been for a few years, according to Distrowatch, it's probably a bigger target for MITM attacks and other mischief, and these two measures would go a long way to protect users.

Cheers

Sontaran
If there's no such thing as a free lunch, and if the best things in life are free, then lunch cannot be one of the best things in life.
User avatar
C10H20O
Level 1
Level 1
Posts: 1
Joined: Sun Jun 14, 2015 9:00 pm
Location: l’île de Pélops

Re: SHA256 and HTTPS for hashes

Post by C10H20O »

I'd like to suggest implementing https for the pages that show the file verification hashes (..) it's probably a bigger target for MITM attacks and other mischief
It's more presumable that the host itself will be the target and the file (including the checksum) will be compromised.

Take a look at a mirror's directory listing:
http://mintlinux.mirror.triple-it.nl/iso/debian/

There you will find

Code: Select all

sha256sum.txt                                      07-Apr-2015 14:27                2493
sha256sum.txt.gpg                                  07-Apr-2015 14:34                 198
First of all,
take care about your gpg configuration.
A good starting point would be perhaps
https://help.riseup.net/en/security/mes ... -practices
and it's file
https://github.com/ioerror/duraconf/raw ... g/gpg.conf

Code: Select all

~/.gnupg/gpg.conf

Then investigate the signature

Code: Select all

gpg --list-packets --verbose sha256sum.txt.gpg
The output looks like

Code: Select all

gpg: armor header: Version: GnuPG v1.4.12 (GNU/Linux)
:signature packet: algo 17, keyid 3EE67F3D0FF405B2
	version 4, created 1428416355, md5len 0, sigclass 0x00
	digest algo 2, begin of digest 79 92
	hashed subpkt 2 len 4 (sig created 2015-04-07)
	subpkt 16 len 8 (issuer key ID 3EE67F3D0FF405B2)
	data: [159 bits]
	data: [159 bits]
It's time to get the signer's key in a proper way (look gpg.conf above):

Code: Select all

gpg --search-keys 3EE67F3D0FF405B2
It shows me

Code: Select all

gpg: searching for "3EE67F3D0FF405B2" from hkps server hkps.pool.sks-keyservers.net
(1)	Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.co
	  1024 bit DSA key 0x3EE67F3D0FF405B2, created: 2009-04-29
You can look for more information on:
http://hkps.pool.sks-keyservers.net/pks ... n&exact=on

Code: Select all

pub  1024D/0FF405B2 2009-04-29            
	 Fingerprint=E1A3 8B8F 1446 75D0 60EA  666F 3EE6 7F3D 0FF4 05B2 

uid Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>
sig  sig3  0FF405B2 2009-04-29 __________ __________ [selfsig]
sig  sig   AD11CBEE 2010-03-17 __________ __________ Steven Hancock <stevenh512@gmail.com>
sig  sig   B8F07507 2014-03-16 __________ __________ Tobias Loose <tobiasloose@gmx.de>
sig  sig   D068D42F 2014-12-08 __________ __________ Corey Sheldon (fedoraproject --default key) <sheldon.corey@gmail.com>

sub  2048g/0F346519 2009-04-29            
sig sbind  0FF405B2 2009-04-29 __________ __________ []
And there it is:
A frightening ugly public key

Only three people signed the key.
Only one of these signers is doing something for his web of trust (Tobias Loose).

No one of the team members are related to it.

It's a strange fact for the most popular distribution.
It's sad that none of the support-team answered to this thread yet!


There are six different public keys for "Clement Lefebvre".
Neither signed nor revoked

Here are some examples to learn from:

https://tails.boum.org/download/index.en.html
https://tails.boum.org/doc/get/trusting ... ex.en.html

https://www.debian.org/CD/verify

https://gentoo.org/downloads/signatures/



And if you want to launch a TLS based website,
you can get a level 1 certificate for free:
https://github.com/ioerror/duraconf/tre ... r/startssl

And please, secure your server:
https://bettercrypto.org/
https://www.ssllabs.com/ssltest/
"Persephone of old was given grace to change a woman's [Mintha's] form to fragrant mint."
Ovid, Metamorphoses 10. 728 ff (trans. Melville) (Roman epic C1st B.C. to C1st A.D.)
User avatar
badbodh
Level 2
Level 2
Posts: 51
Joined: Tue Jul 06, 2010 12:50 am
Location: India

Re: SHA256 and HTTPS for hashes

Post by badbodh »

nice way to advertise unrelated stuff here
Windows assumes I'm stupid but Linux proves it.
Post Reply

Return to “Suggestions & New Ideas”