[arch-general] secure package signing related websites (was: Re: Keyring package for real)
Hello everybody, (As I am not allowed to post to arch-dev-public resending it here.) ok, not really related to the keyring package, but it came to my mind when installing it and while signing the key: I think it makes sense to not allow pages related to package signing being delivered via http. Instead automatically redirect to https to avoid man in the middle attacks. First site that comes to my mind: https://www.archlinux.org/master-keys/ -- Best regards, Chris O< ascii ribbon campaign stop html mail - www.asciiribbon.org
On 03/04/2012 12:22 PM, Christian Hesse wrote:
Hello everybody,
(As I am not allowed to post to arch-dev-public resending it here.)
ok, not really related to the keyring package, but it came to my mind when installing it and while signing the key:
I think it makes sense to not allow pages related to package signing being delivered via http. Instead automatically redirect to https to avoid man in the middle attacks. First site that comes to my mind: https://www.archlinux.org/master-keys/
open a feature request and tag it with {archweb} -- Ionuț
Ionut Biru <ibiru@archlinux.org> on Sun, 04 Mar 2012 12:57:53 +0200:
On 03/04/2012 12:22 PM, Christian Hesse wrote:
I think it makes sense to not allow pages related to package signing being delivered via http. Instead automatically redirect to https to avoid man in the middle attacks. First site that comes to my mind: https://www.archlinux.org/master-keys/
open a feature request and tag it with {archweb}
Done. Thanks! https://bugs.archlinux.org/task/28771 -- Best regards, Chris O< ascii ribbon campaign stop html mail - www.asciiribbon.org
On Sun, 4 Mar 2012 14:56:43 +0100 Christian Hesse <list@eworm.de> wrote:
Ionut Biru <ibiru@archlinux.org> on Sun, 04 Mar 2012 12:57:53 +0200:
On 03/04/2012 12:22 PM, Christian Hesse wrote:
I think it makes sense to not allow pages related to package signing being delivered via http. Instead automatically redirect to https to avoid man in the middle attacks. First site that comes to my mind: https://www.archlinux.org/master-keys/
open a feature request and tag it with {archweb}
Done. Thanks! https://bugs.archlinux.org/task/28771
The strong point of the signing thingy is users' ability to verify keys using multiple independent sources, such as devs' personal websites, keyservers, etc. Relying on archlinux.org solely would be a mistake, imho. Do I really trust in integrity of archlinux.org infrastructure? Not really, but I don't have to. Having said that, just use https:// directly or install a browser plugin (e.g. https finder). -- Leonid Isaev GnuPG key ID: 164B5A6D Key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
Leonid Isaev <lisaev@umail.iu.edu> on Sun, 4 Mar 2012 10:32:45 -0600:
On Sun, 4 Mar 2012 14:56:43 +0100 Christian Hesse <list@eworm.de> wrote:
Ionut Biru <ibiru@archlinux.org> on Sun, 04 Mar 2012 12:57:53 +0200:
On 03/04/2012 12:22 PM, Christian Hesse wrote:
I think it makes sense to not allow pages related to package signing being delivered via http. Instead automatically redirect to https to avoid man in the middle attacks. First site that comes to my mind: https://www.archlinux.org/master-keys/
open a feature request and tag it with {archweb}
Done. Thanks! https://bugs.archlinux.org/task/28771
The strong point of the signing thingy is users' ability to verify keys using multiple independent sources, such as devs' personal websites, keyservers, etc. Relying on archlinux.org solely would be a mistake, imho. Do I really trust in integrity of archlinux.org infrastructure? Not really, but I don't have to.
Having said that, just use https:// directly or install a browser plugin (e.g. https finder).
Sure you should check multiple independent sources. But if all of them are unencrypted by default it would be fairly easy to use netsed or similar tools on a single network node to replace all key fingerprints by faked ones. Only those users that are aware of this risk will use https://. -- Best regards, Chris O< ascii ribbon campaign stop html mail - www.asciiribbon.org
On 05.03.2012 10:04, Christian Hesse wrote:
Leonid Isaev <lisaev@umail.iu.edu> on Sun, 4 Mar 2012 10:32:45 -0600:
On Sun, 4 Mar 2012 14:56:43 +0100 Christian Hesse <list@eworm.de> wrote:
Ionut Biru <ibiru@archlinux.org> on Sun, 04 Mar 2012 12:57:53 +0200:
On 03/04/2012 12:22 PM, Christian Hesse wrote:
I think it makes sense to not allow pages related to package signing being delivered via http. Instead automatically redirect to https to avoid man in the middle attacks. First site that comes to my mind: https://www.archlinux.org/master-keys/
The strong point of the signing thingy is users' ability to verify keys using multiple independent sources, such as devs' personal websites, keyservers, etc. Relying on archlinux.org solely would be a mistake, imho. Do I really trust in integrity of archlinux.org infrastructure? Not really, but I don't have to.
Having said that, just use https:// directly or install a browser plugin (e.g. https finder).
Sure you should check multiple independent sources. But if all of them are unencrypted by default it would be fairly easy to use netsed or similar tools on a single network node to replace all key fingerprints by faked ones.
Only those users that are aware of this risk will use https://.
And those that aren't will just enter "archlinux.org" in the URL bar which defaults to http in most/all browsers. That means an attacker can simply remove the redirection, fetch the page over https himself, change it and relay that over the http connection. -- Florian Pritz
participants (4)
-
Christian Hesse
-
Florian Pritz
-
Ionut Biru
-
Leonid Isaev