software repositories not in https???

Questions about applications and software
Forum rules
Before you post please read how to get help
rene
Level 8
Level 8
Posts: 2166
Joined: Sun Mar 27, 2016 6:58 pm

Re: software repositories not in https???

Post by rene » Wed Sep 19, 2018 5:28 am

Also...
bradmor wrote:
Tue Sep 18, 2018 11:10 pm
Not exactly what I was noticing with the lack of https, but [ ... ]
Rather, not having any single thing to do with HTTP versus HTTPS.

gm10
Level 10
Level 10
Posts: 3340
Joined: Thu Jun 21, 2018 5:11 pm

Re: software repositories not in https???

Post by gm10 » Wed Sep 19, 2018 5:36 am

Yep, all you found is that there is malicious software out there. Big surprise! Nobody vetted all the over 130k packages in Ubuntu's universe repository, either (enabled by default in Mint). Stay vigilant.

bradmor
Level 1
Level 1
Posts: 8
Joined: Sun Sep 09, 2018 7:23 am

Re: software repositories not in https???

Post by bradmor » Fri Sep 21, 2018 3:27 pm

very true, but how do you define "use" - ? As silly as this may sound, how do I know if the insecure http connection was intercepted (MITM attack) and then a software package containing malware or just a bogus one was downloaded onto my device...? Is it more an issue of intent or more about practicalities of the program was running on my device?
While the fairness principle plays a big role in the legal field, I guess my point here is that security is always a "game" of risk management and I still can't believe that most Linux mirrors are not automatically https. There will always be risks and there will always be vulnerabilities/exploits, but I was just trying to point out areas that seem to be big holes to anyone with more knowledge than myself. Then whoever is responsible for those things can make the decisions about prioritizing fixes. I don't feel knowledgeable enough to know which problems need more attention than others AKA prioritization, leave that up to the people in charge of those things - that's why they get paid the big bucks.

gm10
Level 10
Level 10
Posts: 3340
Joined: Thu Jun 21, 2018 5:11 pm

Re: software repositories not in https???

Post by gm10 » Fri Sep 21, 2018 3:36 pm

What are you even talking about now? As already stated, the example you are discussing has nothing to do with any transport security or MTM attacks. There was simply malware uploaded to a community repository. Using the regular channels. Nothing complicated at all.

On the wider issue, I already agreed with you. But I already told you how to switch your sources to HTTPS, so what's the problem that remains with that particular issue?

Just to confuse you more, here's a good read for you btw: https://blog.packagecloud.io/eng/2018/0 ... ositories/
Last edited by gm10 on Fri Sep 21, 2018 3:42 pm, edited 1 time in total.

rene
Level 8
Level 8
Posts: 2166
Joined: Sun Mar 27, 2016 6:58 pm

Re: software repositories not in https???

Post by rene » Fri Sep 21, 2018 3:41 pm

bradmor wrote:
Fri Sep 21, 2018 3:27 pm
As silly as this may sound, how do I know if the insecure http connection was intercepted (MITM attack) and then a software package containing malware or just a bogus one was downloaded onto my device...?
As said a number of times now, the packages themselves are cryptographically signed. A package with even a single bit different bit from the by Ubuntu/Mint signed one will not pass the signature-verification; will at that point be kept from being installed onto your system (note, by the way, that also repositories themselves are signed; cannot just be replaced either).

gm10
Level 10
Level 10
Posts: 3340
Joined: Thu Jun 21, 2018 5:11 pm

Re: software repositories not in https???

Post by gm10 » Fri Sep 21, 2018 3:43 pm

rene wrote:
Fri Sep 21, 2018 3:41 pm
As said a number of times now, the packages themselves are cryptographically signed. A package with even a single bit different bit from the by Ubuntu/Mint signed one will not pass the signature-verification; will at that point be kept from being installed onto your system (note, by the way, that also repositories themselves are signed; cannot just be replaced either).
Packages are not signed. Only the repo manifests (hashes).
Last edited by gm10 on Fri Sep 21, 2018 3:50 pm, edited 2 times in total.

rene
Level 8
Level 8
Posts: 2166
Joined: Sun Mar 27, 2016 6:58 pm

Re: software repositories not in https???

Post by rene » Fri Sep 21, 2018 3:49 pm

Fine; that ends up being the same thing.

gm10
Level 10
Level 10
Posts: 3340
Joined: Thu Jun 21, 2018 5:11 pm

Re: software repositories not in https???

Post by gm10 » Fri Sep 21, 2018 3:55 pm

rene wrote:
Fri Sep 21, 2018 3:49 pm
Fine; that ends up being the same thing.
Sure. But then there's always the bugs with this. There have been plenty, just last month there was this: https://usn.ubuntu.com/3746-1/

Everybody not keeping their system up to date and everybody installing Mint now is vulnerable to this and risks a compromised system. So I object to you all downplaying the issues. OP is entirely correct to be concerned, and the constant "Linux is secure" mantra just shows how very insecure the system is simply because of the culture not to question the security.

rene
Level 8
Level 8
Posts: 2166
Joined: Sun Mar 27, 2016 6:58 pm

Re: software repositories not in https???

Post by rene » Fri Sep 21, 2018 6:04 pm

gm10 wrote:
Fri Sep 21, 2018 3:55 pm
Everybody not keeping their system up to date and everybody installing Mint now is vulnerable to this
With "this" being a not to a normal Mint user applicable theoretical threat, described as, with emphasis mine,
If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages in environments configured to use mirror:// entries.
The mirror:// protocol is not something I have ever used, and that is foregoing the other two ifs in there. As basically always in this field and double (triple, quadruple, ...) as concerning Linux systems, it is an example of a theoretical attack with little to no real-world relevance, pre- nor post-notification. Don't at this point know anymore if it was this thread or a previous one but as mentioned before, I can appreciate someone invested in computer-security getting a warped world-view -- not meant derogatory: back when I was still counting assembly-language clock-cycles I can assure you that my views were pretty warped; such is the effect of over-concentration on minute details -- simply since the complexity of the technology allows for pitfalls around most any corner, but I still need to assure you that those not invested in security are actually a heck of a lot better judging actual risk levels; to much better understand words such as "potentially".

And I in that sense rather object to the constant upplaying of theoretical security issues. I expect we will not be seeing eye to eye on this, so I expect I'll also leave it at that as far this thread is concerned, but I do in fact think it's important that someone provides a bit of counter-weight at times. It's not like the vocal weight of the security-invested is yet anywhere near matched after all...

gm10
Level 10
Level 10
Posts: 3340
Joined: Thu Jun 21, 2018 5:11 pm

Re: software repositories not in https???

Post by gm10 » Fri Sep 21, 2018 6:29 pm

rene wrote:
Fri Sep 21, 2018 6:04 pm
And I in that sense rather object to the constant upplaying of theoretical security issues. I expect we will not be seeing eye to eye on this, so I expect I'll also leave it at that as far this thread is concerned, but I do in fact think it's important that someone provides a bit of counter-weight at times. It's not like the vocal weight of the security-invested is yet anywhere near matched after all...
I don't think you can point to any evidence of me up-playing this issue, I only object when claims are made that it's a non-issue, which it clearly is not. Attack vectors always require certain circumstances to be met to become relevant, but just because you personally may not meet those in a single example that I provided (and there have been a number of different MTM vulnerabilities in apt over the years) that hardly qualifies as a valid basis to advise others to disregard security vulnerabilities from the get-go.

I'll agree to disagree if you want, although I'm not sure how much we actually disagree. MTM attacks are not something the regular Mint user will have to worry about. There are easier ways to get malware onto a system, MTM stuff is more of an issue where state actors seek to control the flow of information and they have other ways of doing than than poisoning repositories of a fringe operating system. ;)

rene
Level 8
Level 8
Posts: 2166
Joined: Sun Mar 27, 2016 6:58 pm

Re: software repositories not in https???

Post by rene » Fri Sep 21, 2018 7:00 pm

gm10 wrote:
Fri Sep 21, 2018 6:29 pm
[ ... ] I only object when claims are made that it's a non-issue, which it clearly is not.
Yet, in the last sentence of the very same reply you note that it clearly is as far as real-world thread and the context of this specific forum is concerned. This then seems to be saying that potential (...) remaining disagreement between specifically us consists of me insisting on always taking both real-world and context into account, and you not.

Well, I note also that I have characterized HTTPS for APT as having little to no upside -- again, real-world, in context, which I still stand by -- whereas I did see a significant downside regarding proxying. Poster on the other hand broke out the exclamation mark and is/was ready to run of to another distribution. This might then also mean we additionally have differing opinions left of what level constitutes up- or downplaying.

Shall we call it a day? :)

gm10
Level 10
Level 10
Posts: 3340
Joined: Thu Jun 21, 2018 5:11 pm

Re: software repositories not in https???

Post by gm10 » Fri Sep 21, 2018 7:24 pm

rene wrote:
Fri Sep 21, 2018 7:00 pm
Yet, in the last sentence of the very same reply you note that it clearly is as far as real-world thread and the context of this specific forum is concerned.
[...]
Shall we call it a day? :)
Yes, please, otherwise I'll go off on a tangent about the context of this forum and neither of us wants that. :lol:

Post Reply

Return to “Software & Applications”