software repositories not in https?

[rene]

Also...

Not exactly what I was noticing with the lack of https, but [ ... ]

Rather, not having any single thing to do with HTTP versus HTTPS.

[gm10]

Yep, all you found is that there is malicious software out there. Big surprise! Nobody vetted all the over 130k packages in Ubuntu's universe repository, either (enabled by default in Mint). Stay vigilant.

[bradmor]

very true, but how do you define "use" - ? As silly as this may sound, how do I know if the insecure http connection was intercepted (MITM attack) and then a software package containing malware or just a bogus one was downloaded onto my device...? Is it more an issue of intent or more about practicalities of the program was running on my device?
While the fairness principle plays a big role in the legal field, I guess my point here is that security is always a "game" of risk management and I still can't believe that most Linux mirrors are not automatically https. There will always be risks and there will always be vulnerabilities/exploits, but I was just trying to point out areas that seem to be big holes to anyone with more knowledge than myself. Then whoever is responsible for those things can make the decisions about prioritizing fixes. I don't feel knowledgeable enough to know which problems need more attention than others AKA prioritization, leave that up to the people in charge of those things - that's why they get paid the big bucks.

[gm10]

What are you even talking about now? As already stated, the example you are discussing has nothing to do with any transport security or MTM attacks. There was simply malware uploaded to a community repository. Using the regular channels. Nothing complicated at all.

On the wider issue, I already agreed with you. But I already told you how to switch your sources to HTTPS, so what's the problem that remains with that particular issue?

Just to confuse you more, here's a good read for you btw: https://blog.packagecloud.io/eng/2018/0 ... ositories/

[rene]

As silly as this may sound, how do I know if the insecure http connection was intercepted (MITM attack) and then a software package containing malware or just a bogus one was downloaded onto my device...?

As said a number of times now, the packages themselves are cryptographically signed. A package with even a single bit different bit from the by Ubuntu/Mint signed one will not pass the signature-verification; will at that point be kept from being installed onto your system (note, by the way, that also repositories themselves are signed; cannot just be replaced either).

[gm10]

As said a number of times now, the packages themselves are cryptographically signed. A package with even a single bit different bit from the by Ubuntu/Mint signed one will not pass the signature-verification; will at that point be kept from being installed onto your system (note, by the way, that also repositories themselves are signed; cannot just be replaced either).

Packages are not signed. Only the repo manifests (hashes).

[rene]

Fine; that ends up being the same thing.

[gm10]

Fine; that ends up being the same thing.

Sure. But then there's always the bugs with this. There have been plenty, just last month there was this: https://usn.ubuntu.com/3746-1/

Everybody not keeping their system up to date and everybody installing Mint now is vulnerable to this and risks a compromised system. So I object to you all downplaying the issues. OP is entirely correct to be concerned, and the constant "Linux is secure" mantra just shows how very insecure the system is simply because of the culture not to question the security.

[rene]

Everybody not keeping their system up to date and everybody installing Mint now is vulnerable to this

With "this" being a not to a normal Mint user applicable theoretical threat, described as, with emphasis mine,

If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages in environments configured to use mirror:// entries.

The mirror:// protocol is not something I have ever used, and that is foregoing the other two ifs in there. As basically always in this field and double (triple, quadruple, ...) as concerning Linux systems, it is an example of a theoretical attack with little to no real-world relevance, pre- nor post-notification. Don't at this point know anymore if it was this thread or a previous one but as mentioned before, I can appreciate someone invested in computer-security getting a warped world-view -- not meant derogatory: back when I was still counting assembly-language clock-cycles I can assure you that my views were pretty warped; such is the effect of over-concentration on minute details -- simply since the complexity of the technology allows for pitfalls around most any corner, but I still need to assure you that those not invested in security are actually a heck of a lot better judging actual risk levels; to much better understand words such as "potentially".

And I in that sense rather object to the constant upplaying of theoretical security issues. I expect we will not be seeing eye to eye on this, so I expect I'll also leave it at that as far this thread is concerned, but I do in fact think it's important that someone provides a bit of counter-weight at times. It's not like the vocal weight of the security-invested is yet anywhere near matched after all...

[gm10]

And I in that sense rather object to the constant upplaying of theoretical security issues. I expect we will not be seeing eye to eye on this, so I expect I'll also leave it at that as far this thread is concerned, but I do in fact think it's important that someone provides a bit of counter-weight at times. It's not like the vocal weight of the security-invested is yet anywhere near matched after all...

I don't think you can point to any evidence of me up-playing this issue, I only object when claims are made that it's a non-issue, which it clearly is not. Attack vectors always require certain circumstances to be met to become relevant, but just because you personally may not meet those in a single example that I provided (and there have been a number of different MTM vulnerabilities in apt over the years) that hardly qualifies as a valid basis to advise others to disregard security vulnerabilities from the get-go.

I'll agree to disagree if you want, although I'm not sure how much we actually disagree. MTM attacks are not something the regular Mint user will have to worry about. There are easier ways to get malware onto a system, MTM stuff is more of an issue where state actors seek to control the flow of information and they have other ways of doing than than poisoning repositories of a fringe operating system.

[rene]

[ ... ] I only object when claims are made that it's a non-issue, which it clearly is not.

Yet, in the last sentence of the very same reply you note that it clearly is as far as real-world thread and the context of this specific forum is concerned. This then seems to be saying that potential (...) remaining disagreement between specifically us consists of me insisting on always taking both real-world and context into account, and you not.

Well, I note also that I have characterized HTTPS for APT as having little to no upside -- again, real-world, in context, which I still stand by -- whereas I did see a significant downside regarding proxying. Poster on the other hand broke out the exclamation mark and is/was ready to run of to another distribution. This might then also mean we additionally have differing opinions left of what level constitutes up- or downplaying.

Shall we call it a day?

[gm10]

Yet, in the last sentence of the very same reply you note that it clearly is as far as real-world thread and the context of this specific forum is concerned.
[...]
Shall we call it a day?

Yes, please, otherwise I'll go off on a tangent about the context of this forum and neither of us wants that.

[bradmor]

gm10: I just tried to manually edit the software repository lists file. There was only the official package repositories list, there was no source document for me. Although I am now running LM 19.3, not 18.3 as I was when I started this post. When I added s onto the http listed and then clicked refresh in the update manager it listed an error message that it could not connect. Any other ideas?

[gittiest personITW]

Hi Bradmor,
Unfortunately, gm10 reached 11000 posts and as the small print says in the terms and conditions, to paraphrase, once level 20 and 11000 posts have been reached, it is required that the member of the forum that achieves this must scoop out their brain and put it into cryogenic storage for more advanced generations/civilisations/beings to study.

I'm sure someone will be along shortly who may be able to help though.

[rene]

I'm sure someone will be along shortly who may be able to help though.

Just reviewed the thread and I personally already supplied excellent help on this subject, even if I say so myself, so I'll just leave it at that: stop worrying about nothing.