Re: [arch-general] secure package signing related websites

On 05.03.2012 10:04, Christian Hesse wrote:

Leonid Isaev on Sun, 4 Mar 2012 10:32:45 -0600:

...

On Sun, 4 Mar 2012 14:56:43 +0100 Christian Hesse wrote:

...

Ionut Biru on Sun, 04 Mar 2012 12:57:53 +0200:

...

On 03/04/2012 12:22 PM, Christian Hesse wrote:

...

I think it makes sense to not allow pages related to package signing being delivered via http. Instead automatically redirect to https to avoid man in the middle attacks. First site that comes to my mind: https://www.archlinux.org/master-keys/

The strong point of the signing thingy is users' ability to verify keys using multiple independent sources, such as devs' personal websites, keyservers, etc. Relying on archlinux.org solely would be a mistake, imho. Do I really trust in integrity of archlinux.org infrastructure? Not really, but I don't have to.

Having said that, just use https:// directly or install a browser plugin (e.g. https finder).

Sure you should check multiple independent sources. But if all of them are unencrypted by default it would be fairly easy to use netsed or similar tools on a single network node to replace all key fingerprints by faked ones.

Only those users that are aware of this risk will use https://.

And those that aren't will just enter "archlinux.org" in the URL bar which defaults to http in most/all browsers. That means an attacker can simply remove the redirection, fetch the page over https himself, change it and relay that over the http connection. -- Florian Pritz