[arch-general] secure package signing related websites

[Florian Pritz]

On 05.03.2012 10:04, Christian Hesse wrote:
> Leonid Isaev <lisaev at umail.iu.edu> on Sun, 4 Mar 2012 10:32:45 -0600:
>> On Sun, 4 Mar 2012 14:56:43 +0100
>> Christian Hesse <list at eworm.de> wrote:
>> > Ionut Biru <ibiru at archlinux.org> on Sun, 04 Mar 2012 12:57:53 +0200:
>> > > On 03/04/2012 12:22 PM, Christian Hesse wrote:
>> > > > I think it makes sense to not allow pages related to package signing
>> > > > being delivered via http. Instead automatically redirect to https to
>> > > > avoid man in the middle attacks. First site that comes to my mind:
>> > > > https://www.archlinux.org/master-keys/
>> 
>> The strong point of the signing thingy is users' ability to verify keys
>> using multiple independent sources, such as devs' personal websites,
>> keyservers, etc. Relying on archlinux.org solely would be a mistake, imho.
>> Do I really trust in integrity of archlinux.org infrastructure? Not really,
>> but I don't have to.
>> 
>> Having said that, just use https:// directly or install a browser plugin
>> (e.g. https finder). 
> 
> Sure you should check multiple independent sources. But if all of them are
> unencrypted by default it would be fairly easy to use netsed or similar tools
> on a single network node to replace all key fingerprints by faked ones.
> 
> Only those users that are aware of this risk will use https://.

And those that aren't will just enter "archlinux.org" in the URL bar
which defaults to http in most/all browsers. That means an attacker can
simply remove the redirection, fetch the page over https himself, change
it and relay that over the http connection.

-- 
Florian Pritz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20120305/415f7061/attachment-0001.asc>